diff options
author | rr929y <rr929y@att.com> | 2017-08-09 15:02:40 -0700 |
---|---|---|
committer | rr929y <rr929y@att.com> | 2017-08-09 15:02:40 -0700 |
commit | 26bad5de7505392d6f1d305944c5010943cc5175 (patch) | |
tree | aa979afb6ee546d9328fc6aff2b2c2936afe8e2f | |
parent | 5b1cee279df29c502081d515ab0d5eab4dbeef90 (diff) |
VNFRQTS Requirements -- Document Migration
VNFRQTS Requirements -- Migrated managment, heat, and cloud readiness
documents to their respective new chapters
VNFRQTS-38 VNFRQTS-40 VNFRQTS-41
Change-Id: I9747c8b811dbf24badf189af73cc5a248bdd5e8c
Issue-ID: VNFRQTS-40
Signed-off-by: rr929y <rr929y@att.com>
-rw-r--r-- | docs/Chapter4.rst | 1131 | ||||
-rw-r--r-- | docs/Chapter5.rst | 1663 | ||||
-rw-r--r-- | docs/Chapter7.rst | 1091 | ||||
-rw-r--r-- | docs/Chapter8.rst | 800 | ||||
-rw-r--r-- | docs/Data_Model_For_Event_Records.png | bin | 0 -> 79667 bytes |
5 files changed, 4675 insertions, 10 deletions
diff --git a/docs/Chapter4.rst b/docs/Chapter4.rst index dbfd114..6760637 100644 --- a/docs/Chapter4.rst +++ b/docs/Chapter4.rst @@ -1,8 +1,1129 @@ **4. VNF Development Requirements** ==================================== -a. VNF Design -#. VNF Resiliency -#. VNF Security -#. VNF Modularity -#. Devops
\ No newline at end of file +a. VNF Design +============== + +Services are composed of VNFs and common components and are designed to +be agnostic of the location to leverage capacity where it exists in the +Network Cloud. VNFs can be instantiated in any location that meets the +performance and latency requirements of the service. + +A key design principle for virtualizing services is decomposition of +network functions using NFV concepts into granular VNFs. This enables +instantiating and customizing only essential functions as needed for the +service, thereby making service delivery more nimble. It provides +flexibility of sizing and scaling and also provides flexibility with +packaging and deploying VNFs as needed for the service. It enables +grouping functions in a common cloud data center to minimize +inter-component latency. The VNFs should be designed with a goal of +being modular and reusable to enable using best-in-breed vendors + +Section 4.1.1 in *VNF Guidelines for Network Cloud and ONAP* describes +the overall guidelines for designing VNFs from VNF Components (VNFCs). +Below are more detailed requirements for composing VNFs. + ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| VNF Design Requirements | Type | ID # | ++================================================================================================================================================================================================================================+==========+=========+ +| Decompose VNFs into granular re-usable VNFCs | Should | 20010 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Decompose if the functions have significantly different scaling characteristics (e.g., signaling versus media functions, control versus data plane functions). | Must | 20020 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Decomposition of the VNF must enable instantiating only the functionality that is needed for the VNF (e.g., if transcoding is not needed it should not be instantiated). | Must | 20030 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Design VNFC as a standalone, executable process. | Must | 20040 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Create a single component VNF for VNFCs that can be used by other VNFs. | Should | 20050 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Design to scale horizontally (more instances of a VNF or VNFC) and not vertically (moving the existing instances to larger VMs or increasing the resources within a VM) to achieve effective utilization of cloud resources. | Must | 20060 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Utilize cloud provided infrastructure and VNFs (e.g., virtualized Local Load Balancer) as part of the VNF so that the cloud can manage and provide a consistent service resiliency and methods across all VNF's. | Must | 20070 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| VNFCs should be independently deployed, configured, upgraded, scaled, monitored, and administered by ONAP. | Should | 20080 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide API versioning to allow for independent upgrades of VNFC. | Must | 20090 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Minimize the use of state within a VNFC to facilitate the movement of traffic from one instance to another. | Should | 20100 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Maintain state in a geographically redundant datastore that may, in fact, be its own VNFC. | Should | 20110 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Decouple persistent data from the VNFC and keep it in its own datastore that can be reached by all instances of the VNFC requiring the data. | Should | 20120 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Utilize virtualized, scalable open source database software that can meet the performance/latency requirements of the service for all datastores. | Must | 20130 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Failure of a VNFC instance must not terminate stable sessions. | Must | 20140 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Enable DPDK in the guest OS for VNF’s requiring high packets/sec performance. High packet throughput is defined as greater than 500K packets/sec. | Must | 20150 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| When using DPDK, use the NCSP’s supported library and compute flavor that supports DPDK to optimize network efficiency. [1]_ | Must | 20160 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Do not use technologies that bypass virtualization layers (such as SR-IOV) unless approved by the NCSP (e.g., if necessary to meet functional or performance requirements). | Must | 20170 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Limit the size of application data packets to no larger than 9000 bytes for SDN network-based tunneling when guest data packets are transported between tunnel endpoints that support guest logical networks. | Must | 20180 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Do not require the use of a dynamic routing protocol unless necessary to meet functional requirements. | Must | 20190 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +b. VNF Resiliency +================= + +The VNF is responsible for meeting its resiliency goals and must factor +in expected availability of the targeted virtualization environment. +This is likely to be much lower than found in a traditional data center. +Resiliency is defined as the ability of the VNF to respond to error +conditions and continue to provide the service intended. A number of +software resiliency dimensions have been identified as areas that should +be addressed to increase resiliency. As VNFs are deployed into the +Network Cloud, resiliency must be designed into the VNF software to +provide high availability versus relying on the Network Cloud to achieve +that end. + +Section 4.1.2 in *VNF Guidelines for Network Cloud and ONAP* describes +the overall guidelines for designing VNFs to meet resiliency goals. +Below are more detailed resiliency requirements for VNFs. + +All Layer Redundancy +-------------------- + +Design the VNF to be resilient to the failures of the underlying +virtualized infrastructure (Network Cloud). VNF design considerations +would include techniques such as multiple vLANs, multiple local and +geographic instances, multiple local and geographic data replication, +and virtualized services such as Load Balancers. + ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| All Layer Redundancy Requirements | Type | ID # | ++=======================================================================================================================================================================================================================================================================================================+========+=========+ +| VNFs are responsible to meet their own resiliency goals and not rely on the Network Cloud. | Must | 30010 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Design resiliency into a VNF such that the resiliency deployment model (e.g., active-active) can be chosen at run-time. | Must | 30020 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| VNFs must survive any single points of failure within the Network Cloud (e.g., virtual NIC, VM, disk failure). | Must | 30030 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| VNFs must survive any single points of software failure internal to the VNF (e.g., in memory structures, JMS message queues). | Must | 30040 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Design, build and package VNFs to enable deployment across multiple fault zones (e.g., VNFCs deployed in different servers, racks, OpenStack regions, geographies) so that in the event of a planned/unplanned downtime of a fault zone, the overall operation/throughput of the VNF is maintained. | Must | 30050 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Support the ability to failover a VNFC automatically to other geographically redundant sites if not deployed active-active to increase the overall resiliency of the VNF. | Must | 30060 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Support the ability of the VNFC to be deployable in multi-zoned cloud sites to allow for site support in the event of cloud zone failure or upgrades. | Must | 30070 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ + +Minimize Cross Data-Center Traffic +---------------------------------- + +Avoid performance-sapping data center-to-data center replication delay +by applying techniques such as caching and persistent transaction paths +- Eliminate replication delay impact between data centers by using a +concept of stickiness (i.e., once a client is routed to data center "A", +the client will stay with Data center “A” until the entire session is +completed). + ++------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Minimize Cross Data-Center Traffic Requirements | Type | ID # | ++==================================================================================================================+==========+=========+ +| Minimize the propagation of state information across multiple data centers to avoid cross data center traffic. | Should | 31010 | ++------------------------------------------------------------------------------------------------------------------+----------+---------+ + +Application Resilient Error Handling +------------------------------------ + +Ensure an application communicating with a downstream peer is equipped +to intelligently handle all error conditions. Make sure code can handle +exceptions seamlessly - implement smart retry logic and implement +multi-point entry (multiple data centers) for back-end system +applications. + ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Application Resilient Error Handling Requirements | Type | ID # | ++==============================================================================================================================================================================================================================================================================================================================+========+=========+ +| Detect connectivity failure for inter VNFC instance and intra/inter VNF and re-establish connectivity automatically to maintain the VNF without manual intervention to provide service continuity. | Must | 32010 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Handle the restart of a single VNFC instance without requiring all VNFC instances to be restarted. | Must | 32020 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Handle the start or restart of VNFC instances in any order with each VNFC instance establishing or re-establishing required connections or relationships with other VNFC instances and/or VNFs required to perform the VNF function/role without requiring VNFC instance(s) to be started/restarted in a particular order. | Must | 32030 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Handle errors and exceptions so that they do not interrupt processing of incoming VNF requests to maintain service continuity. | Must | 32040 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Provide the ability to modify the number of retries, the time between retries and the behavior/action taken after the retries have been exhausted for exception handling to allow the NCSP to control that behavior. | Must | 32050 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Fully exploit exception handling to the extent that resources (e.g., threads and memory) are released when no longer needed regardless of programming language. | Must | 32060 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Handle replication race conditions both locally and geo-located in the event of a data base instance failure to maintain service continuity. | Must | 32070 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Automatically retry/resubmit failed requests made by the software to its downstream system to increase the success rate. | Must | 32080 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ + +System Resource Optimization +---------------------------- + +Ensure an application is using appropriate system resources for the task +at hand; for example, do not use network or IO operations inside +critical sections, which could end up blocking other threads or +processes or eating memory if they are unable to complete. Critical +sections should only contain memory operation, and should not contain +any network or IO operation. + ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| System Resource Optimization Requirements | Type | ID # | ++=================================================================================================================================================================================================================================================+==========+=========+ +| Do not execute long running tasks (e.g., IO, database, network operations, service calls) in a critical section of code, so as to minimize blocking of other operations and increase concurrent throughput. | Must | 33010 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Automatically advertise newly scaled components so there is no manual intervention required. | Must | 33020 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Utilize FQDNs (and not IP address) for both Service Chaining and scaling. | Must | 33030 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Deliver any and all functionality from any VNFC in the pool. The VNFC pool member should be transparent to the client. Upstream and downstream clients should only recognize the function being performed, not the member performing it. | Must | 33040 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Automatically enable/disable added/removed sub-components or component so there is no manual intervention required. | Should | 33050 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Support the ability to scale down a VNFC pool without jeopardizing active sessions. Ideally, an active session should not be tied to any particular VNFC instance. | Should | 33060 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Support load balancing and discovery mechanisms in resource pools containing VNFC instances. | Should | 33070 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Utilize resource pooling (threads, connections, etc.) within the VNF application so that resources are not being created and destroyed resulting in resource management overhead. | Should | 33080 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use techniques such as “lazy loading” when initialization includes loading catalogues and/or lists which can grow over time, so that the VNF startup time does not grow at a rate proportional to that of the list. | Should | 33090 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Release and clear all shared assets (memory, database operations, connections, locks, etc.) as soon as possible, especially before long running sync and asynchronous operations, so as to not prevent use of these assets by other entities. | Should | 33100 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +Application Configuration Management +------------------------------------ + +Leverage configuration management audit capability to drive conformity +to develop gold configurations for technologies like Java, Python, etc. + ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Application Configuration Management Requirements | Type | ID # | ++===================================================================================================================================================================================+========+=========+ +| Allow configurations and configuration parameters to be managed under version control to ensure consistent configuration deployment, traceability and rollback. | Must | 34010 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Allow configurations and configuration parameters to be managed under version control to ensure the ability to rollback to a known valid configuration. | Must | 34020 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Allow changes of configuration parameters to be consumed by the VNF without requiring the VNF or its sub-components to be bounced so that the VNF availability is not effected. | Must | 34030 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ + +Intelligent Transaction Distribution & Management +------------------------------------------------- + +Leverage Intelligent Load Balancing and redundant components (hardware +and modules) for all transactions, such that at any point in the +transaction: front end, middleware, back end -- a failure in any one +component does not result in a failure of the application or system; +i.e., transactions will continue to flow, albeit at a possibly reduced +capacity until the failed component restores itself. Create redundancy +in all layers (software and hardware) at local and remote data centers; +minimizing interdependencies of components (i.e. data replication, +deploying non-related elements in the same container). + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Intelligent Transaction Distribution & Management Requirements | Type | ID # | ++==================================================================================================================================================================================================================================+==========+=========+ +| Use intelligent routing by having knowledge of multiple downstream/upstream endpoints that are exposed to it, to ensure there is no dependency on external services (such as load balancers) to switch to alternate endpoints. | Should | 35010 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use redundant connection pooling to connect to any backend data source that can be switched between pools in an automated/scripted fashion to ensure high availability of the connection to the data source. | Should | 35020 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Include control loop mechanisms to notify the consumer of the VNF of their exceeding SLA thresholds so the consumer is able to control its load against the VNF. | Should | 35030 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +Deployment Optimization +----------------------- + +Reduce opportunity for failure, by human or by machine, through smarter +deployment practices and automation. This can include rolling code +deployments, additional testing strategies, and smarter deployment +automation (remove the human from the mix). + ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Deployment Optimization Requirements | Type | ID # | ++=====================================================================================================================================================================================================================================================+==========+=========+ +| Support at least two major versions of the VNF software and/or sub-components to co-exist within production environments at any time so that upgrades can be applied across multiple systems in a staggered manner. | Must | 36010 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Support the existence of multiple major/minor versions of the VNF software and/or sub-components and interfaces that support both forward and backward compatibility to be transparent to the Service Provider usage. | Must | 36020 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Support hitless staggered/rolling deployments between its redundant instances to allow "soak-time/burn in/slow roll" which can enable the support of low traffic loads to validate the deployment prior to supporting full traffic loads. | Must | 36030 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Support the ability of a requestor of the service to determine the version (and therefore capabilities) of the service so that Network Cloud Service Provider can understand the capabilities of the service. | Must | 36040 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Test for adherence to the defined performance budgets at each layer, during each delivery cycle with delivered results, so that the performance budget is measured and the code is adjusted to meet performance budget. | Must | 36050 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Test for adherence to the defined performance budget at each layer, during each delivery cycle so that the performance budget is measured and feedback is provided where the performance budget is not met. | Must | 36060 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Test for adherence to the defined resiliency rating recommendation at each layer, during each delivery cycle with delivered results, so that the resiliency rating is measured and the code is adjusted to meet software resiliency requirements. | Should | 36070 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Test for adherence to the defined resiliency rating recommendation at each layer, during each delivery cycle so that the resiliency rating is measured and feedback is provided where software resiliency requirements are not met. | Should | 36080 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +Monitoring & Dashboard +---------------------- + +Promote dashboarding as a tool to monitor and support the general +operational health of a system. It is critical to the support of the +implementation of many resiliency patterns essential to the maintenance +of the system. It can help identify unusual conditions that might +indicate failure or the potential for failure. This would contribute to +improve Mean Time to Identify (MTTI), Mean Time to Repair (MTTR), and +post-incident diagnostics. + ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Monitoring & Dashboard Requirements | Type | ID # | ++================================================================================================================================================================================================================================================+==========+=========+ +| Provide a method of metrics gathering for each layer's performance to identify/document variances in the allocations so they can be addressed. | Must | 37010 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide unique traceability of a transaction through its life cycle to ensure quick and efficient troubleshooting. | Must | 37020 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide a method of metrics gathering and analysis to evaluate the resiliency of the software from both a granular as well as a holistic standpoint. This includes, but is not limited to thread utilization, errors, timeouts, and retries. | Must | 37030 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide operational instrumentation such as logging, so as to facilitate quick resolution of issues with the VNF to provide service continuity. | Must | 37040 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Monitor for and alert on (both sender and receiver) errant, running longer than expected and missing file transfers, so as to minimize the impact due to file transfer errors. | Must | 37050 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use an appropriately configured logging level that can be changed dynamically, so as to not cause performance degradation of the VNF due to excessive logging. | Should | 37060 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Utilize Cloud health checks, when available from the Network Cloud, from inside the application through APIs to check the network connectivity, dropped packets rate, injection, and auto failover to alternate sites if needed. | Should | 37070 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Conduct a resiliency impact assessment for all inter/intra-connectivity points in the VNF to provide an overall resiliency rating for the VNF to be incorporated into the software design and development of the VNF. | Must | 37080 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +c. VNF Security +=============== + +The objective of this section is to provide the key security +requirements that need to be met by VNFs. The security requirements are +grouped into five areas as listed below. Other security areas will be +addressed in future updates. These security requirements are applicable +to all VNFs. Additional security requirements for specific types of VNFs +will be applicable and are outside the scope of these general +requirements. + +Section 4.1.3 in *VNF Guidelines for Network Cloud and ONAP* outlines +the five broad security areas for VNFs that are detailed in the +following sections: + +- **VNF General Security**: This section addresses general security + requirements for the VNFs that the vendors will need to address. + +- **VNF Identity and Access Management**: This section addresses + security requirements with respect to Identity and Access Management + as these pertain to generic VNFs. + +- **VNF API Security**: This section addresses the generic security + requirements associated with APIs. These requirements are applicable + to those VNFs that use standard APIs for communication and data + exchange. + +- **VNF Security Analytics**: This section addresses the security + requirements associated with analytics for VNFs that deal with + monitoring, data collection and analysis. + +- **VNF Data Protection**: This section addresses the security + requirements associated with data protection. + +VNF General Security Requirements +--------------------------------- + +This section provides details on the VNF general security requirements +on various security areas such as user access control, network security, +ACLs, infrastructure security, and vulnerability management. These +requirements cover topics associated with compliance, security patching, +logging/accounting, authentication, encryption, role-based access +control, least privilege access/authorization. The following security +requirements need to be met by the solution in a virtual environment: + ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| General Security Requirements | Type | ID # | ++=================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+========================================================================================================================================================================================================================================================================================================================================================================================================================================+=========+=========+ +| Integration and operation within a robust security environment is necessary and expected. The security architecture will include one or more of the following: IDAM (Identity and Access Management) for all system and applications access, Code scanning, network vulnerability scans, OS, Database and application patching, malware detection and cleaning, DDOS prevention, network security gateways (internal and external) operating at various layers, host and application based tools for security compliance validation, aggressive security patch application, tightly controlled software distribution and change control processes and other state of the art security solutions. The VNF is expected to function reliably within such an environment and the developer is expected to understand and accommodate such controls and can expected to supply responsive interoperability support and testing throughout the product’s lifecycle. | Informational | 40010 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| The VNF must accommodate the security principle of “least privilege” during development, implementation and operation. The importance of “least privilege” cannot be overstated and must be observed in all aspects of VNF development and not limited to security. This is applicable to all sections of this document. | Must | 40020 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Implement access control list for OA&M services (e.g., restricting access to certain ports or applications). | Must | 40030 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Implement Data Storage Encryption (database/disk encryption) for Sensitive Personal Information (SPI) and other subscriber identifiable data. Note: subscriber’s SPI/data must be encrypted at rest, and other subscriber identifiable data should be encrypted at rest. Other data protection requirements exist and should be well understood by the developer. | Must | 40040 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Implement a mechanism for automated and frequent "system configuration (automated provisioning / closed loop)" auditing. | Should | 40050 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Use both network scanning and application scanning security tools on all code, including underlying OS and related configuration. Scan reports shall be provided. Remediation roadmaps shall be made available for any findings. | Should | 40060 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Perform source code to scanning tools (e.g., Fortify) and provide reports. | Should | 40070 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Production code shall be distributed from NCSP internal sources only. No production code, libraries, OS images, etc. shall be distributed from publically accessible depots. | Must | 40080 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Provide all code/configuration files in a “Locked down” or hardened state or with documented recommendations for such hardening. All unnecessary services will be disabled. Vendor default credentials, community strings and other such artifacts will be removed or disclosed so that they can be modified or removed during provisioning. | Must | 40090 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Support L3 VPNs that enable segregation of traffic by application (dropping packets not belonging to the VPN) (i.e., AVPN, IPSec VPN for Internet routes). | Should | 40100 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Interoperate with various access control mechanisms for the Network Cloud execution environment (e.g., Hypervisors, containers). | Should | 40110 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| VNF should support the use of virtual trusted platform module, hypervisor security testing and standards scanning tools. | Should | 40120 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Interoperate with the ONAP (SDN) Controller so that it can dynamically modify the firewall rules, ACL rules, QoS rules, virtual routing and forwarding rules. | Must | 40130 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Support the ability to work with aliases (e.g., gateways, proxies) to protect and encapsulate resources. | Should | 40140 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| All access to applications (Bearer, signaling and OA&M) will pass through various security tools and platforms from ACLs, stateful firewalls and application layer gateways depending on manner of deployment. The application is expected to function (and in some cases, interwork) with these security tools. | Must | 40150 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Patch vulnerabilities in VNFs as soon as possible. Patching shall be controlled via change control process with vulnerabilities disclosed along with mitigation recommendations. | Must | 40160 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Identification, authentication and access control of **customer** or **VNF application users** must be performed by utilizing the NCSP’s IDAM API. | Must | 40170 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Identification, authentication and access control of **OA&M** and other system level functions must use the NCSP’s IDAM API or comply with the following is expected. | Must | 40180 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Support User-IDs and passwords to uniquely identify the user/application. VNF needs to have appropriate connectors to the Identity, Authentication and Authorization systems that enables access at OS, Database and Application levels as appropriate. | Must | 40190 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Provide the ability to support Multi-Factor Authentication (e.g., 1st factor = Software token on device (RSA SecureID); 2nd factor = User Name+Password, etc.) for the users. | Must | 40200 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Support Role-Based Access Control to permit/limit the user/application to performing specific activities. | Must | 40210 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Support logging via ONAP for a historical view of “who did what and when”. | Must | 40220 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Encrypt OA&M access (e.g., SSH, SFTP). | Must | 40230 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Enforce a configurable maximum number of Login attempts policy for the users. VNF vendor must comply with "terminate idle sessions" policy. Interactive sessions must be terminated, or a secure, locking screensaver must be activated requiring authentication, after a configurable period of inactivity. The system-based inactivity timeout for the enterprise identity and access management system must also be configurable. | Must | 40240 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Comply with the NCSP’s credential management policy. | Must | 40250 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Password expiration must be required at regular configurable intervals. | Must | 40260 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Comply with "password complexity" policy. When passwords are used, they shall be complex and shall at least meet the following password construction requirements: | Must | 40270 | +| | | | | +| | - Be a minimum configurable number of characters in length. | | | +| | | | | +| | - Include 3 of the 4 following types of characters: upper-case alphabetic, lower-case alphabetic, numeric, and special. | | | +| | | | | +| | - Not be the same as the UserID with which they are associated or other common strings as specified by the environment. | | | +| | | | | +| | - Not contain repeating or sequential characters or numbers. | | | +| | | | | +| | - Not to use special characters that may have command functions. | | | +| | | | | +| | - New passwords must not contain sequences of three (3) or more characters from the previous password. | | | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Comply with "password changes (includes default passwords)" policy. Products will support password aging, syntax and other credential management practices on a configurable basis. | Must | 40280 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Support use of common third party authentication and authorization tools such as TACACS+, RADIUS. | Must | 40290 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Comply with "No Self-Signed Certificates" policy. Self-signed certificates must be used for encryption only, using specified and approved encryption protocols such as LS 1.1 or higher or equivalent security protocols such as IPSec, AES. | Must | 40300 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Authenticate system to system communications where one system accesses the resources of another system, and must never conceal individual accountability. | Must | 40310 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ + +VNF Identity and Access Management Requirements +----------------------------------------------- + +The following security requirements for logging, identity, and access +management need to be met by the solution in a virtual environment: + ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Identity and Access Management Requirements | Type | ID # | ++================================================================================================================================================================================================================================================================================================================================================================================================+==========+=========+ +| Access to VNFs will be required at several layers. Hence, VNF vendor needs to be able to host connectors for access to the following layers: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Application | Must | 41010 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. OS (Operating System) | Must | 41020 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Database | Must | 41030 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Manage access to VNF, its OS, or Database by an enterprise access request process. | Must | 41040 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Comply with the following when persons or non-person entities access VNFs: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Individual Accountability (each person must be assigned a unique ID) | Must | 41050 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Least Privilege (no more privilege than required to perform job functions) | Must | 41060 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Segregation of Duties (access to a single layer and no developer may access production without special oversight) | Must | 41070 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Vendors will not be allowed to access VNFs remotely, e.g., VPN | Must | 41080 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Vendors accessing VNFs through a client application API must be authorized by the client application owner and the resource owner of the VNF before provisioning authorization through Role Based Access Control (RBAC), Attribute Based Access Control (ABAC), or other policy based mechanism. | Must | 41090 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Vendor VNF access will be subject to privilege reconciliation tools to prevent access creep and ensure correct enforcement of access policies. | Must | 41100 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide or Support the Identity and Access Management (IDAM) based threat detection data for: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. OWASP Top 10 | Must | 41110 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Password Attacks | Must | 41120 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Phishing / SMishing | Must | 41130 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Malware (Key Logger) | Must | 41140 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Session Hijacking | Must | 41150 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. XSS / CSRF | Must | 41160 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Replay | Must | 41170 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Man in the Middle (MITM) | Must | 41180 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Eavesdropping | Must | 41190 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide Context awareness data (device, location, time, etc.) and be able to integrate with threat detection system. | Must | 41200 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Where a VNF vendor requires the assumption of permissions, such as root or administrator, the vendor user must first log in under their individual user login ID then switch to the other higher level account; or where the individual user login is infeasible, must login with an account with admin privileges in a way that uniquely identifies the individual performing the function. | Must | 41210 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Authenticate system to system access and do not conceal a VNF vendor user’s individual accountability for transactions. | Must | 41220 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Warning Notices: A formal statement of resource intent, i.e., a warning notice, must be made visible upon initial access to a VNF vendor user who accesses private internal networks or Company computer resources, e.g., upon initial logon to an internal web site, system or application which requires authentication. | Must | 41230 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use access controls for VNFs and their supporting computing systems at all times to restrict access to authorized personnel only, e.g., least privilege. These controls could include the use of system configuration or access control software. | Must | 41240 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Initial and default settings for new user accounts must provide minimum privileges only. | Must | 41250 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Default settings for user access to sensitive commands and data must be denied authorization. | Must | 41260 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Privileged users may be created conforming to approved request, workflow authorization, and authorization provisioning requirements. | Must | 41270 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Commands affecting network services, such as commands relating to VNFs, must have greater restrictions for access and execution, such as up to 3 factors of authentication and restricted authorization. | Must | 41280 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Encrypt TCP/IP--HTTPS (e.g., TLS v1.2) transmission of data on internal and external networks. | Must | 41290 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Unnecessary or vulnerable cgi-bin programs must be disabled. | Must | 41300 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| No public or unrestricted access to any data should be provided without the permission of the data owner. All data classification and access controls must be followed. | Must | 41310 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| When in production, vendors or developers must not do the following without authorization of the VNF system owner including: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Install or use systems, tools or utilities capable of capturing or logging data that was not created by them or sent specifically to them; | Must | 41320 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Run security testing tools and programs, e.g., password cracker, port scanners, hacking tools. | Must | 41330 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Authentication credentials must not be included in security audit logs, even if encrypted. | Must | 41340 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| The standard interface for a VNF should be REST APIs exposed to Client Applications for the implementation of OAuth 2.0 Authorization Code Grant and Client Credentials Grant. | Should | 41350 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Support hosting connectors for OS Level and Application Access. | Should | 41360 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Support SCEP (Simple Certificate Enrollment Protocol). | Should | 41370 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +VNF API Security Requirements +----------------------------- + +This section covers API security requirements when these are used by the +VNFs. Key security areas covered in API security are Access Control, +Authentication, Passwords, PKI Authentication Alarming, Anomaly +Detection, Lawful Intercept, Monitoring and Logging, Input Validation, +Cryptography, Business continuity, Biometric Authentication, +Identification, Confidentiality and Integrity, and Denial of Service. + +The solution in a virtual environment needs to meet the following API +security requirements: + ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| API Requirements | Type | ID # | ++==========================================================================================================================================================================================================================================================================================================================+========+=========+ +| Provide a mechanism to restrict access based on the attributes of the VNF and the attributes of the subject. | Must | 42010 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Integrate with external authentication and authorization services (e.g., IDAM). | Must | 42020 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Use certificates issued from publicly recognized Certificate Authorities (CA) for the authentication process where PKI-based authentication is used | Must | 42030 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Validate the CA signature on the certificate, ensure that the date is within the validity period of the certificate, check the Certificate Revocation List (CRL), and recognize the identity represented by the certificate where PKI-based authentication is used. | Must | 42040 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Protect the confidentiality and integrity of data at rest and in transit from unauthorized access and modification. | Must | 42050 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Protect against all denial of service attacks, both volumetric and non-volumetric, or integrate with external denial of service protection tools | Must | 42060 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Implement at minimum the following input validation controls: | | | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Check the size (length) of all input. Do not permit an amount of input so great that it would cause the VNF to fail. Where the input may be a file, the VNF API must enforce a size limit. | Must | 42070 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Do not permit input that contains content or characters inappropriate to the input expected by the design. Inappropriate input, such as SQL insertions, may cause the system to execute undesirable and unauthorized transactions against the database or allow other inappropriate access to the internal network. | Must | 42080 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Validate that any input file has a correct and valid Multipurpose Internet Mail Extensions (MIME) type. Input files should be tested for spoofed MIME types. | Must | 42090 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Validate input at all layers implementing VNF APIs. | Must | 42100 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Comply with NIST standards and industry best practices for all implementations of cryptography | Must | 42110 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Implement all monitoring and logging as described in the Security Analytics section. | Must | 42120 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Restrict changing the criticality level of a system security alarm to administrator(s). | Must | 42130 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Monitor API invocation patterns to detect anomalous access patterns that may represent fraudulent access or other types of attacks, or integrate with tools that implement anomaly and abuse detection. | Must | 42140 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Support requests for information from law enforcement and government agencies. | Must | 42150 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ + +VNF Security Analytics Requirements +----------------------------------- + +This section covers VNF security analytics requirements that are mostly +applicable to security monitoring. The VNF Security Analytics cover the +collection and analysis of data following key areas of security +monitoring: + +- Anti-virus software + +- Logging + +- Data capture + +- Tasking + +- DPI + +- API based monitoring + +- Detection and notification + +- Resource exhaustion detection + +- Proactive and scalable monitoring + +- Mobility and guest VNF monitoring + +- Closed loop monitoring + +- Interfaces to management and orchestration + +- Malformed packet detections + +- Service chaining + +- Dynamic security control + +- Dynamic load balancing + +- Connection attempts to inactive ports (malicious port scanning) + +The following requirements of security monitoring need to be met by the +solution in a virtual environment. + ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Security Analytics Requirements | Type | ID # | ++==========================================================================================================================================================================================================================================================================================+========+=========+ +| Support the following monitoring features by the VNF: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Real-time detection and notification of security events. | Must | 43010 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Integration functionality via API/Syslog/SNMP to other functional modules in the network (e.g., PCRF, PCEF) that enable dynamic security control by blocking the malicious traffic or malicious end users | Must | 43020 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. API-based monitoring to take care of the scenarios where the control interfaces are not exposed, or are optimized and proprietary in nature | Must | 43030 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Event logging, formats, and delivery tools to provide the required degree of event data to ONAP | Must | 43040 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Detection of malformed packets due to software misconfiguration or software vulnerability | Must | 43050 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Integrated DPI/monitoring functionality as part of VNFs (e.g., PGW, MME) | Must | 43060 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Alternative monitoring capabilities when VNFs do not expose data or control traffic or use proprietary and optimized protocols for inter VNF communication | Must | 43070 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Proactive monitoring to detect and report the attacks on resources so that the VNFs and associated VMs can be isolated, such as detection techniques for resource exhaustion, namely OS resource attacks, CPU attacks, consumption of kernel memory, local storage attacks. | Must | 43080 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Coexist and operate normally with commercial anti-virus software which shall produce alarms every time when there is a security incident. | Must | 43090 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Protect all security audit logs (including API, OS and application-generated logs), security audit software, data, and associated documentation from modification, or unauthorized viewing, by standard OS access control mechanisms, by sending to a remote system, or by encryption. | Must | 43100 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Log the following events: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Successful and unsuccessful login attempts | Must | 43110 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Logoffs | Must | 43120 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Successful and unsuccessful changes to a privilege level | Must | 43130 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Starting and stopping of security logging | Must | 43140 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Creating, removing, or changing the inherent privilege level of users | Must | 43150 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Connections to a network listener of the resource | Must | 43160 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Log, at minimum, the following fields (where applicable and technically feasible) in the security audit logs: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Event type | Must | 43170 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Date/time | Must | 43180 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Protocol | Must | 43190 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Service or program used for access | Must | 43200 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Success/failure | Must | 43210 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Login ID | Must | 43220 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Security audit logs must never contain an authentication credential, e.g., password, even if encrypted. | Must | 43230 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Detect when the security audit log storage medium is approaching capacity (configurable) and issue an alarm via SMS or equivalent as to allow time for proper actions to be taken to pre-empt loss of audit data. | Must | 43240 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Support the capability of online storage of security audit logs. | Must | 43250 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Activate security alarms automatically when the following events, at a minimum, are detected: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Configurable number of consecutive unsuccessful login attempts | Must | 43260 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Successful modification of critical system or application files | Must | 43270 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Unsuccessful attempts to gain permissions or assume the identity of another user | Must | 43280 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Include, at a minimum, the following fields in the Security alarms (where applicable and technically feasible): | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Date | Must | 43290 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Time | Must | 43300 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Service or program used for access | Must | 43310 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Success/failure | Must | 43320 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Login ID | Must | 43330 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Restrict changing the criticality level of a system security alarm to administrator(s). | Must | 43340 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Monitor API invocation patterns to detect anomalous access patterns that may represent fraudulent access or other types of attacks, or integrate with tools that implement anomaly and abuse detection. | Must | 43350 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Support requests for information from law enforcement and government agencies. | Must | 43360 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Implement “Closed Loop” automatic implementation (without human intervention) for Known Threats with detection rate in low false positives. | Must | 43370 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Perform data capture for security functions. | Must | 43380 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Generate security audit logs that must be sent to Security Analytics Tools for analysis. | Must | 43390 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Provide audit logs that include user ID, dates, times for log-on and log-off, and terminal location at minimum. | Must | 43400 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Provide security audit logs including records of successful and rejected system access data and other resource access attempts. | Must | 43410 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Support the storage of security audit logs for agreed period of time for forensic analysis. | Must | 43420 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Provide the capability of generating security audit logs by interacting with the operating system (OS) as appropriate. | Must | 43430 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Security logging for VNFs and their OSs must be active from initialization. Audit logging includes automatic routines to maintain activity records and cleanup programs to ensure the integrity of the audit/logging systems. | Must | 43440 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ + +VNF Data Protection Requirements +-------------------------------- + +This section covers VNF data protection requirements that are mostly +applicable to security monitoring. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Data Protection Requirements | Type | ID # | ++======================================================================================================================================================================================================================================================================================================================+==========+=========+ +| Provide the capability to restrict read and write access to data. | Must | 44010 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability to restrict access to data to specific users. | Must | 44020 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability to encrypt data in transit on a physical or virtual network. | Must | 44030 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability to encrypt data on non-volatile memory. | Must | 44040 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Where the encryption of non-transient data is required on a device for which the operating system performs paging to virtual memory, then if possible disable the paging of the data requiring encryption, if not the virtual memory should be encrypted. | Should | 44050 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability to integrate with an external encryption service. | Must | 44060 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use industry standard cryptographic algorithms and standard modes of operations when implementing cryptography. | Must | 44070 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use commercial algorithms only when there are no applicable governmental standards for specific cryptographic functions, e.g., public key cryptography, message digests. | Should | 44080 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| The SHA, DSS, MD5, SHA-1 and Skipjack algorithms or other compromised encryption must not be used. | Must | 44090 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use, whenever possible, standard implementations of security applications, protocols, and format, e.g., S/MIME, TLS, SSH, IPSec, X.509 digital certificates for cryptographic implementations. These implementations must be purchased from reputable vendors and must not be developed in-house. | Must | 44100 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| A VNF must provide the ability to migrate to newer versions of cryptographic algorithms and protocols with no impact. | Must | 44110 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use symmetric keys of at least 112 bits in length. | Must | 44120 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use asymmetric keys of at least 2048 bits in length. | Must | 44130 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use commercial tools that comply with X.509 standards and produce x.509 compliant keys for public/private key generation. Keys must not be generated or derived from predictable functions or values, e.g., values considered predictable include user identity information, time of day, stored/transmitted data. | Must | 44140 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability to configure encryption algorithms or devices so that they comply with the laws of the jurisdiction in which there are plans to use data encryption. | Must | 44150 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability of using certificates issued from a Certificate Authority not provided by the VNF vendor. | Must | 44160 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability of allowing certificate renewal and revocation. | Must | 44170 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability of testing the validity of a digital certificate by performing the following: | | | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. The CA signature on the certificate must be validated | Must | 44180 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. The date the certificate is being used must be within the validity period for the certificate | Must | 44190 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. The Certificate Revocation List (CRL) for the certificates of that type must be checked to ensure that the certificate has not been revoked | Must | 44200 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. The identity represented by the certificate — the "distinguished name" — must be recognized | Must | 44210 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability of encrypting selected data fields stored or bound for security logs. | Must | 44220 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability of deleting data stored in the VNF. | Must | 44230 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability to make data available in order to support requests from law enforcement and government agencies as required by legal or regulatory mandates. Capability must be configurable for MOW deployment. | Must | 44240 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +d. VNF Modularity +================= + +VNF Modularity Overview +----------------------- + +OpenECOMP supports a modular Heat design pattern, referred to as *VNF +Modularity.* With this approach, a single VNF may be composed from one +or more Heat templates, each of which represents some subset of the +overall VNF. These component parts are referred to as “\ *VNF +Modules*\ ”. During orchestration, these modules may be deployed +incrementally to build up the complete VNF. + +A Heat template can be either one of the following types of modules: + +1. Base Module + +2. Incremental Modules + +3. Independent Cinder Volume Modules + +The OpenECOMP Heat template naming convention must be followed (Section +2.1). The naming convention identifies the module type. + +A VNF must be composed of one “base” VNF module (also called a base +module) and zero to many “incremental” or “add on” VNF modules. The base +module must be deployed first, prior to the add-on modules. + +A module can be thought of as equivalent to a Heat template, where a +Heat template is composed of a YAML file and an environment file (also +referred to as an ENV file). A given YAML file must have a corresponding +environment file; OpenECOMP requires it. + +A Heat template is used to create or deploy a Heat stack. Therefore, a +module is also equivalent to a Heat Stack. + +OpenECOMP supports the concept of an optional, independent deployment of +a Cinder volume via separate Heat templates. This allows the volume to +persist after VNF deletion so that the volume can be reused on another +instance (e.g. during a failover activity). + +The scope of a volume module, when it exists, must be 1:1 with the VNF +Module (base or add-on). A single volume module must create only the +volumes needed by a single VNF module (base or add-on). + +These concepts will be described in more detail throughout the document. +This overview is provided to set the stage and help clarify the concepts +that will be introduced. + +Design Pattern: VNF Modularity +------------------------------ + +OpenECOMP supports the concept of *VNF Modularity*. With this approach, +a single VNF may be composed from one or more Heat templates, each of +which represents some subset of the overall VNF. These component parts +are referred to as “\ *VNF Modules*\ ”. During orchestration, these +modules may be deployed incrementally to build up the complete VNF. + +A Heat template can be either one for the following types of modules + +1. Base Module + +2. Incremental Modules + +3. Independent Cinder Volume Modules + +The OpenECOMP Heat template naming convention must be followed (Section +2.1). The naming convention identifies the module type. + +A VNF must be composed of one “base” VNF module (also called a base +module) and zero to many “incremental” or “add on” VNF modules. The base +module must be deployed first prior to the add-on modules. + +A module can be thought of as equivalent to a Heat template, where a +Heat template is composed of a YAML file and an environment file. A +given YAML file must have a corresponding environment file; OpenECOMP +requires it. A Heat template is used to create or deploy a Heat stack. +Therefore, a module is also equivalent to a Heat Stack. + +However, there are cases where a module maybe composed of more than one +Heat stack and/or more than one YAML file. + +As discussed in Section 2.5, Independent Volume Templates, each VNF +Module may have an associated Volume template. + +- When a volume template is utilized, it must correspond 1:1 with + add-on module template or base template it is associated with + +- A Cinder volume may be embedded within the add-on module template + and/or base template if persistence is not required, thus not + requiring the optional Volume template. + +A VNF module may support nested templates. In this case, there will be +one or more additional YAML files. + +Any shared resource defined in the base module template and used across +the entire VNF (e.g., private networks, server groups), must be exposed +to the incremental or add-on modules by declaring their resource UUIDs +as Heat outputs (i.e., OpenECOMP Base Template Output Parameter in the +output section of the Heat template). Those outputs will be provided by +OpenECOMP as input parameter values to all add-on module Heat templates +in the VNF that have declared the parameter in the template. + +*Note:* A Cinder volume is *not* considered a shared resource. A volume +template must correspond 1:1 with a base template or add-on module +template. + +There are two suggested usage patterns for modular VNFs, though any +variation is supported. + +A. **Modules per VNFC type** + + a. Group all VMs (VNFCs) of a given type into its own module + + b. Build up the VNF one VNFC type at a time + + c. Base module contains only the shared resources (and possibly + initial Admin VMs) + + d. Suggest one or two modules per VNFC type + + i. one for initial count + + ii. one for scaling increment (if different from initial count) + +B. **Base VNF + Growth Units** + + a. Base module (template) contains a complete initial VNF instance + + b. Growth modules for incremental scaling units + + i. May contain VMs of multiple types in logical scaling + combinations + + ii. May be separated by VM type for multi-dimensional scaling + + c. With no growth units, this is equivalent to the “\ *One Heat + Template per VNF*\ ” model + +Note that modularization of VNFs is not required. A single Heat template +(a base template) may still define a complete VNF, which might be +appropriate for smaller VNFs without a lot of scaling options. + +There are some rules to follow when building modular VNF templates: + +1. All VNFs must have one Base VNF Module (template) that must be the + first one deployed. The base template: + + a. Must include all shared resources (e.g., private networks, server + groups, security groups) + + b. Must expose all shared resources (by UUID) as “outputs” in its + associated Heat template (i.e., OpenECOMP Base Template Output + Parameters) + + c. May include initial set of VMs + + d. May be operational as a stand-alone “minimum” configuration of the + VNF + +2. VNFs may have one or more Add-On VNF Modules (templates) which: + + a. Defines additional resources that can be added to an existing VNF + + b. Must be complete Heat templates + + i. i.e. not snippets to be incorporated into some larger template + + c. Should define logical growth-units or sub-components of an overall + VNF + + d. On creation, receives all Base VNF Module outputs as parameters + + i. Provides access to all shared resources (by UUID) + + ii. must not be dependent on other Add-On VNF Modules + + e. Multiple instances of an Add-On VNF Module type may be added to + the same VNF (e.g. incrementally grow a VNF by a fixed “add-on” + growth units) + +3. Each VNF Module (base or add-on) may have (optional) an associated + Volume template (*see Section 2.5*) + + a. Volume templates should correspond 1:1 with Module (base or + add-on) templates + + b. A Cinder volume may be embedded within the Module template (base + or add-on) if persistence is not required + +4. Shared resource UUIDs are passed between the base template and add-on + template via Heat Outputs Parameters (i.e., Base Template Output + Parameters) + + a. The output parameter name in the base must match the parameter + name in the add-on module + +*Examples:* + +In this example, the {vm-type} have been defined as “lb” for load +balancer and “admin” for admin server. + +1. **Base VNF Module Heat Template (partial)** + +Heat\_template\_version: 2013-05-23 + +.. code-block:: python + + parameters: + admin\_name\_0: + type: string + + resources: + int\_oam\_network: + type: OS::Neutron::Network + properties: + name: {… } + + admin\_server: + type: OS::Nova::Server + properties: + name: {get\_param: admin\_name\_0} + image: ... + + outputs: + int\_oam\_net\_id: + value: {get\_resource: int\_oam\_network } + + +2. **Add-on VNF Module Heat Template (partial)** + +Heat\_template\_version: 2013-05-23 + +.. code-block:: python + + Parameters: + int\_oam\_net\_id: + type: string + description: ID of shared private network from Base template + lb\_name\_0: + type: string + description: name for the add-on VM instance + + Resources: + lb\_server: + type: OS::Nova::Server + properties: + name: {get\_param: lb\_name\_0} + networks: + - port: { get\_resource: lb\_port } + ... + + lb\_port: + type: OS::Neutron::Port + properties: + network\_id: { get\_param: int\_oam\_net\_id } + ... + +Scaling Considerations +---------------------- + +Scaling of a VNF may be manually driven to add new capacity (**static +scaling**) or it may be driven in near real-time by the OpenECOMP +controllers based on a real-time need **(dynamic scaling).** + +With VNF Modularity, the recommended approach for scaling is to provide +additional “growth unit” templates that can be used to create additional +resources in logical scaling increments. This approach is very +straightforward, and has minimal impact on the currently running VNFCs +and must comply with the following: + +- Combine resources into reasonable-sized scaling increments; do not + just scale by one VM at a time in potentially large VNFs. + +- Combine related resources into the same growth template where + appropriate, e.g. if VMs of different types are always deployed in + pairs, include them in a single growth template. + +- Growth templates can use the private networks and other shared + resources exposed by the Base Module template. + +VNF Modules may also be updated “in-place” using the OpenStack Heat +Update capability, by deploying an updated Heat template with different +VM counts to an existing stack. This method requires another VNF module +template that includes the new resources *in addition to all resources +contained in the original module template*. Note that this also requires +re-specification of all existing parameters as well as new ones. + +*For this approach:* + +- Use a fixed number of pre-defined VNF module configurations + +- Successively larger templates must be identical to the next smaller + one, plus add the additional VMs of the scalable type(s) + +- VNF is scalable by sending a stack-update with a different template + +*Please do note that:* + +- If properties do not change for existing VMs, those VMs should remain + unchanged + +- If the update is performed with a smaller template, the Heat engine + recognizes and deletes no-longer-needed VMs (and associated + resources) + +- Nested templates for the various server types will simplify reuse + across multiple configurations + +- Per the section on Use of Heat ResourceGroup, if *ResourceGroup* is + ever used for scaling (e.g. increment the count and include an + additional element to each list parameter), Heat will often rebuild + every existing element in addition to adding the “deltas”. For this + reason, use of *ResourceGroup* for scaling in this manner is not + supported. + +e. VNF Devops +============= + +This section includes guidelines for vendors to ensure that a Network +Cloud Service Provider’s operations personnel have a common and +consistent way to support VNFs and VNFCs. + +NCSPs may elect to support standard images to enable compliance with +security, audit, regulatory and other needs. As part of the overall VNF +software bundle, VNF suppliers using standard images would typically +provide the NCSP with an install package consistent with the default OS +package manager (e.g. aptitude for Ubuntu, yum for Redhat/CentOS). + +Section 4.1.4 in *VNF Guidelines for Network Cloud and ONAP* describes +the DevOps guidelines for VNFs. + ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| DevOps Requirements | Type | ID # | ++==============================================================================================================================================================================================================================================================================================================================================================================================================================+==========+=========+ +| Utilize only the Guest OS versions that are supported by the NCSP’s Network Cloud. [2]_ | Must | 50010 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Utilize only NCSP provided Guest OS images.\ :sup:`2` | Should | 50020 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Utilize only NCSP standard compute flavors.\ :sup:`2` | Must | 50030 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Running VMs will not be backed up in the Network Cloud infrastructure. VNF’s are responsible for preserving their persistent data. | Must | 50040 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Install VNFC(s) on non-root file systems, unless software is specifically included with the operating system distribution of the guest image. | Must | 50050 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Be agnostic to the underlying infrastructure (such as hardware, host OS, Hypervisor), any requirements should be provided as specification to be fulfilled by any hardware. | Must | 50060 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Hypervisor-level customization must not be required from the cloud provider. | Must | 50070 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide an automated test suite to validate every new version of the software on the target environment(s). The tests should be of sufficient granularity to independently test various representative VNF use cases throughout its lifecycle. Operations might choose to invoke these tests either on a scheduled basis or on demand to support various operations functions including test, turn-up and troubleshooting. | Should | 50080 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the ability to test incremental growth of the VNF | Should | 50090 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| If a VNF provides a load balancing function across multiple instances of its VNFCs, then the VNF must respond to a "move traffic"\ :sup:`3` command against a specific VNFC, moving all existing session elsewhere with minimal disruption. | Must | 50100 | +| | | | +| Note: Individual VNF performance aspects (e.g., move duration or disruption scope) may require further constraints. | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| To support scenarios such as proactive maintenance with no user impact, if a VNF provides a load balancing function across multiple instances of its VNFCs, then the VNF must respond to a "drain VNFC" [3]_ command against a specific VNFC, preventing new session from reaching the targeted VNFC, with no disruption to active sessions on the impacted VNFC. | Must | 50110 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + + +.. [1] + Refer to NCSP’s Network Cloud specification + +.. [2] + Refer to NCSP’s Network Cloud specification + +.. [3] + Not currently supported in ONAP release 1 diff --git a/docs/Chapter5.rst b/docs/Chapter5.rst index 340f842..e900cd0 100644 --- a/docs/Chapter5.rst +++ b/docs/Chapter5.rst @@ -2,4 +2,1665 @@ ===================================== a. TOSCA YAML -#. Heat +============= + +b. Heat +======= + +General Guidelines +------------------ + +The Heat templates supported by OpenECOMP must follow the requirements +enumerated in this section. + +Filenames +--------- + +In order to enable OpenECOMP to understand the relationship between Heat +files, the following Heat file naming convention must be followed. + +- The file name for the base module Heat template must include “base” + in the filename. + + - Examples: *base\_xyz.yml* or *base\_xyz.yaml*; *xyz\_base.yml* or + *xyz\_base.yaml* + +- There is no explicit naming convention for the add-on modules. + + - Examples: *module1.yml* or *module1.yaml* + +- All Cinder volume templates must be named the same as the + corresponding Heat template with “\_volume” appended to the file + name. + + - Examples: *base\_xyz\_volume.yml* or *base\_xyz\_volume.yaml*; + *xyz\_base\_volume.yml* or *xyz\_base\_volume.yaml*; + *module1\_volume.yml* or *module1\_volume.yaml* (referencing the + above base module Heat template name) + +- The file name of the environment files must fully match the + corresponding Heat template filename and have *.env* or *.ENV* + extension. + + - Examples: *base\_xyz.env* or *base\_xyz.ENV*; *xyz\_base.env* or + *xyz\_base.ENV*; *base\_xyz\_volume.env* or + *base\_xyz\_volume.ENV*; *module1.env* or *module1.ENV; + module1\_volume.env* or *module1\_volume.ENV* (referencing the + above base module Heat template name) + +- A YAML file must have a corresponding ENV file, even if the ENV file + enumerates no parameters. It is an OpenECOMP requirement. + +Valid YAML Format +------------------ + +A Heat template (a YAML file and its corresponding environment file) +must be formatted in valid YAML. For a description of YAML, refer to the +following OpenStack wiki. + +https://wiki.openstack.org/wiki/Heat/YAMLTemplates + +A Heat template must follow a specific format. The OpenStack Heat +Orchestration Template (HOT) specification explains in detail all +elements of the HOT template format. + +http://docs.openstack.org/developer/heat/template_guide/hot_spec.html + +Parameter Categories & Specification +------------------------------------ + +Parameter Categories +~~~~~~~~~~~~~~~~~~~~ + +OpenECOMP requires the Heat template parameters to follow certain +requirements in order for it to be orchestrated or deployed. OpenECOMP +classifies parameters into eight broad categories. + +- **OpenECOMP Metadata**: OpenECOMP mandatory and optional metadata + parameters in the resource *OS::Nova::Server*. + + - OpenECOMP dictates the naming convention of these Metadata + parameters and must be adhered to (See Section 4.4). + + - Metadata parameters must not be enumerated in the environment + file. + + - The OpenECOMP Metadata are generated and/or assigned by OpenECOMP + and supplied to the Heat by OpenECOMP at orchestration time. + +- **OpenECOMP Orchestration Parameters**: The data associated with + these parameters are VNF instance specific. + + - OpenECOMP enforces the naming convention of these parameters and + must be adhered to (See Section 4). + + - These parameters must not be enumerated in the environment file. + + - The OpenECOMP Orchestration Parameters are generated and/or + assigned by OpenECOMP and supplied to the Heat by OpenECOMP at + orchestration time. + +- **VNF Orchestration Parameters**: The data associated with these + parameters are VNF instance specific. + + - While OpenECOMP does not enforce a naming convention, the + parameter names should include {vm-type} and {network-role} when + appropriate. (See Section 4) + + - These parameters must not be enumerated in the environment file. + + - The VNF Orchestration Parameters Heat are generated and/or + assigned by OpenECOMP and supplied to the Heat by OpenECOMP at + orchestration time. + +- **OpenECOMP Orchestration Constants**: The data associated with these + parameters must be constant across all VNF instances. + + - OpenECOMP enforces the naming convention of these parameters and + must be adhered to (See Section 4). + + - These parameters must be enumerated in the environment file. + +- **VNF Orchestration Constants**: The data associated with these + parameters must be constant across all VNF instances. + + - While OpenECOMP does not enforce a naming convention, the + parameter names should include {vm-type} and {network-role} when + appropriate. (See Section 4) + + - These parameters must be enumerated in the environment file. + +- **OpenECOMP Base Template Output Parameters** (also referred to as + Base Template Output Parameters): The output section of the base + template allows for specifying output parameters available to add-on + modules once the base template has been instantiated. The parameter + defined in the output section of the base must be identical to the + parameter defined in the add-on module(s) where the parameter is + used. + +- **OpenECOMP Volume Template Output Parameters** (also referred to as + Volume Template Output Parameters): The output section of the volume + template allows for specifying output parameters available to the + corresponding Heat template (base or add-on) once the volume template + has been instantiated. The parameter defined in the output section of + the volume must be identical to the parameter defined in the base or + add-on module. + +- **OpenECOMP Predefined Output Parameters** (also referred to as + Predefined Output Parameters): OpenECOMP will look for a small set of + pre-defined Heat output parameters to capture resource attributes for + inventory in OpenECOMP. These parameters are specified in Section + 4.6. + +The table below summarizes the Parameter Types. If the user is +orchestrating a manual spin up of Heat (e.g. OpenStack command line), +the parameter values that OpenECOMP supplies must be enumerated in the +environment file. However, when the Heat is to be loaded into OpenECOMP +for orchestration, the parameters that OpenECOMP supplies must be +deleted or marked with a comment (i.e., a “#” placed at the beginning of +a line). + ++-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ +| Parameter Type | Naming Convention | Parameter Value Source | ++===============================================+=====================+=================================================================================+ +| OpenECOMP Metadata | Explicit | OpenECOMP | ++-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ +| OpenECOMP Orchestration Parameters | Explicit | OpenECOMP | ++-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ +| VNF Orchestration Parameters | Recommended | OpenECOMP | ++-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ +| OpenECOMP Orchestration Constants | Explicit | Environment File | ++-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ +| VNF Orchestration Constants | Recommended | Environment File | ++-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ +| OpenECOMP Base Template Output Parameters | Recommended | Heat Output Statement for base, OpenECOMP supplied to add-on modules | ++-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ +| OpenECOMP Volume Template Output Parameters | Recommended | Heat Output Statement for volume, OpeneECOMP supplies to corresponding module | ++-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ +| OpenECOMP Predefined Output Parameters | Explicit | Heat Output Statement | ++-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ + +Table 1 Parameter Types + +Parameter Specifications +~~~~~~~~~~~~~~~~~~~~~~~~ + +OpenECOMP METADATA Parameters +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +OpenECOMP defines four “metadata” parameters: vnf\_id, vf\_module\_id, +vnf\_name, vf\_module\_name. These parameters must not define any +constraints in the Heat template, including length restrictions, ranges, +default value and/or allowed patterns. + +OpenECOMP Base Template & Volume Template Output Parameters +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The base template and volume template output parameters are defined as +input parameters in subsequent modules. When defined as input +parameters, these parameters must not define any constraints in the Heat +template, including length restrictions, ranges, default value and/or +allowed patterns. The parameter name defined in the output statement of +the Heat must be identical to the parameter name defined in the Heat +that is to receive the value. + +OpenECOMP Predefined Output Parameters +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +These parameters must not define any constraints in the Heat template, +including length restrictions, ranges, default value and/or allowed +patterns. + +OpenECOMP Orchestration Parameters, VNF Orchestration Parameters, OpenECOMP Orchestration Constants, VNF Orchestration Constants +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +OpenECOMP Orchestration Parameters, VNF Orchestration Parameters, +OpenECOMP Orchestration Constants, VNF Orchestration Constants must +adhere to the following: + +- All parameters should be clearly documented in the template, + including expected values. + +- All parameters should be clearly specified, including constraints and + description. + +- Numeric parameter constraints should include range and/or allowed + values. + +- When the parameter type is a string and the parameter name contains + an index, the index must be zero based. That is, the index starts at + zero. + +- When the parameter type is a Comma Delimited List (CDL), the + reference index must start at zero. + +- Default values must only be supplied in a Heat environment file to + keep the template itself as clean as possible. + +- Special characters must not be used in parameter names, as currently + only alphanumeric characters and “\_” underscores are allowed. + +Use of Heat Environments +------------------------ + +A YAML file must have a corresponding environment file (also referred to +as ENV file), even if the environment file defines no parameters. It is +an OpenECOMP requirement. + +The environment file must contain parameter values for the OpenECOMP +Orchestration Constants and VNF Orchestration Constants. These +parameters are identical across all instances of a VNF type, and +expected to change infrequently. The OpenECOMP Orchestration Constants +are associated with OS::Nova::Server image and flavor properties (See +Section 4.3). Examples of VNF Orchestration Constants are the networking +parameters associated with an internal network (e.g. private IP ranges) +and Cinder volume sizes. + +The environment file must not contain parameter values for parameters +that are instance specific (OpenECOMP Orchestration Parameters, VNF +Orchestration Parameters). These parameters are supplied to the Heat by +OpenECOMP at orchestration time. The parameters are generated and/or +assigned by OpenECOMP at orchestration time + +Independent Volume Templates +---------------------------- + +OpenECOMP supports independent deployment of a Cinder volume via +separate Heat templates. This allows the volume to persist after VNF +deletion so that they can be reused on another instance (e.g. during a +failover activity). + +A VNF Incremental Module or Base Module may have an independent volume +module. Use of separate volume modules is optional. A Cinder volume may +be embedded within the Incremental or Base Module if persistence is not +required. + +If a VNF Incremental Module or Base Module has an independent volume +module, the scope of volume templates must be 1:1 with Incremental +module or Base module. A single volume module must create only the +volumes required by a single Incremental module or Base module. + +The following rules apply to independent volume Heat templates: + +- Cinder volumes must be created in a separate Heat template from the + Incremental and Base Modules. + + - A single volume module must include all Cinder volumes needed by + the Incremental/Base module. + + - The volume template must define “outputs” for each Cinder volume + resource universally unique identifier (UUID) (i.e. OpenECOMP + Volume Template Output Parameters). + +- The VNF Incremental Module or Base Module must define input + parameters that match each Volume output parameter (i.e., OpenECOMP + Volume Template Output Parameters). + + - OpenECOMP will supply the volume template outputs automatically to + the bases/incremental template input parameters. + +- Volume modules may utilize nested Heat templates. + +**Example (volume template):** + + In this example, the {vm-type} has been left as a variable. + {vm-type} is described in section 4.1. If the VM was a load + balancer, the {vm-type} could be defined as “lb” + +.. code-block:: python + + parameters: + vm-typevnf\_name: + type: string + {vm-type}\_volume\_size\_0: + type: number + ... + + resources: + {vm-type}\_volume\_0: + type: OS::Cinder::Volume + properties: + name: + str\_replace: + template: VNF\_NAME\_volume\_0 + params: + VNF\_NAME: { get\_param: vnf\_name } + size: {get\_param: {vm-type}\_volume\_size\_0} + ... + +*(+ additional volume definitions)* + +.. code-block:: python + + outputs: + {vm-type}\_volume\_id\_0: + value: {get\_resource: {vm-type}\_volume\_0} + ... + +*(+ additional volume outputs)* + +*Example (VNF module template):* + +.. code-block:: python + + parameters: + {vm-type}\_name\_0: + type: string + {vm-type}\_volume\_id\_0: + type: string + ... + + resources: + {vm-type}\_0: + type: OS::Nova::Server + properties: + name: {get\_param: {vm-type}\_name\_0} + networks: + ... + + {vm-type}\_0\_volume\_attach: + type: OS::Cinder::VolumeAttachment + properties: + instance\_uuid: { get\_resource: {vm-type}\_0 } + volume\_id: { get\_param: {vm-type}\_volume\_id\_0 } + +Nested Heat Templates +--------------------- + +OpenECOMP supports nested Heat templates per the OpenStack +specifications. Nested templates may be suitable for larger VNFs that +contain many repeated instances of the same VM type(s). A common usage +pattern is to create a nested template for each VM type along with its +supporting resources. The master VNF template (or VNF Module template) +may then reference these component templates either statically (by +repeated definition) or dynamically (via *OS::Heat::ResourceGroup*). + +Nested template support in OpenECOMP is subject to the following +limitations: + +- Heat templates for OpenECOMP must only have one level of nesting. + OpenECOMP only supports one level of nesting. + +- Nested templates must be referenced by file name in the master + template + + - i.e. use of *resource\_registry* in the .env file is *not* + currently supported + +- Nested templates must have unique file names within the scope of the + VNF + +- OpenECOMP does not support a directory hierarchy for nested + templates. All templates must be in a single, flat directory (per + VNF) + +- A nested template may be shared by all Modules (i.e., Heat templates) + within a given VNF + +Networking +---------- + +External Networks +----------------- + +VNF templates must not include any resources for external networks +connected to the VNF. In this context, “external” is in relation to the +VNF itself (not with regard to the Network Cloud site). External +networks may also be referred to as “inter-VNF” networks. + +- External networks must be orchestrated separately, so they can be + shared by multiple VNFs and managed independently. When the external + network is created, it must be assigned a unique {network-role} (See + section 4.2). + +- External networks must be passed into the VNF template as parameters, + including the network-id (i.e. the neutron network UUID) and optional + subnet ID. + +- VNF templates must pass the appropriate external network IDs into + nested VM templates when nested Heat is used. + +- VNFs may use DHCP assigned IP addresses or assign fixed IPs when + attaching VMs to an external network. + +- OpenECOMP enforces a naming convention for parameters associated with + external networks. + +- Parameter values associated with an external network will be + generated and/or assigned by OpenECOMP at orchestration time. + +- Parameter values associated with an external network must not be + enumerated in the environment file. + +Internal Networks +----------------- + +Orchestration activities related to internal networks must be included +in VNF templates. In this context, “internal” is in relation to the VNF +itself (not in relation to the Network Cloud site). Internal networks +may also be referred to as “intra-VNF” networks or “private” networks. + +- Internal networks must not attach to any external gateways and/or + routers. Internal networks are for intra-VM communication only. + +- In the modular approach, internal networks must be created in the + Base Module template, with their resource IDs exposed as outputs + (i.e., OpenECOMP Base Template Output Parameters) for use by all + add-on module templates. When the external network is created, it + must be assigned a unique {network-role} (See section 4.2). + +- VNFs may use DHCP assigned IP addresses or assign fixed IPs when + attaching VMs to an internal network. + +- OpenECOMP does not enforce a naming convention for parameters for + internal network, however, a naming convention is provided that + should be followed. + +- Parameter values associated with an internal network must either be + passed as output parameter from the base template (i.e., OpenECOMP + Base Template Output Parameters) into the add-on modules or be + enumerated in the environment file. + +IP Address Assignment +--------------------- + +- VMs connect to external networks using either fixed (e.g. statically + assigned) IP addresses or DHCP assigned IP addresses. + +- VMs connect to internal networks using either fixed (e.g. statically + assigned) IP addresses or DHCP assigned IP addresses. + +- Neutron Floating IPs must not be used. OpenECOMP does not support + Neutron Floating IPs. + +- OpenECOMP supports the OS::Neutron::Port property + “allowed\_address\_pairs.” See Section 4.4.3. + +Parameter Naming Convention +--------------------------- + +{vm-type} +--------- + +A common *{vm-type}* identifier must be used throughout the Heat +template in naming parameters, for each VM type in the VNF with the +following exceptions: + +- The four OpenECOMP Metadata parameters must not be prefixed with a + common {vm-type} identifier. They are *vnf\_name*, *vnf\_id*, + *vf\_module\_id*, *vf\_module\_name*. + +- Parameters only referring to a network or subnetwork must not be + prefixed with a common {vm-type} identifier. + +- The parameter referring to the OS::Nova::Server property + availability\_zone must not be prefixed with a common {vm-type} + identifier. + +- {vm-type} must be unique to the VNF. It does not have to be globally + unique across all VNFs that OpenECOMP supports. + +{network-role} +-------------- + +VNF templates must not include any resources for external networks +connected to the VNF. In this context, “external” is in relation to the +VNF itself (not with regard to the Network Cloud site). External +networks may also be referred to as “inter-VNF” networks. + +External networks must be orchestrated separately, so they can be shared +by multiple VNFs and managed independently. When the external network is +created, it must be assigned a unique {network-role}. + +“External” networks must be passed into the VNF template as parameters. +Examples include the network-id (i.e. the neutron network UUID) and +optional subnet ID. See section 4.4.3. + +Any parameter that is associated with an external network must include +the {network-role} as part of the parameter name. + +Internal network parameters must also define a {network-role}. Any +parameter that is associated with an internal network must include +int\_{network-role} as part of the parameter name. + +Resource: OS::Nova::Server - Parameters +--------------------------------------- + +The following OS::Nova::Server Resource Property Parameter Names must +follow the OpenECOMP parameter Naming Convention. All the parameters +associated with OS::Nova::Server are classified as OpenECOMP +Orchestration Parameters. + ++----------------------+-----------------------------------------+------------------+ +| OS::Nova::Server | ++======================+=========================================+==================+ +| Property | OpenECOMP Parameter Naming Convention | Parameter Type | ++----------------------+-----------------------------------------+------------------+ +| image | {*vm-type*}\_image\_name | string | ++----------------------+-----------------------------------------+------------------+ +| flavor | {*vm-type*}\_flavor\_name | string | ++----------------------+-----------------------------------------+------------------+ +| name | {*vm-type*}\_name\_{*index*} | string | ++----------------------+-----------------------------------------+------------------+ +| | {vm-type}\_names | CDL | ++----------------------+-----------------------------------------+------------------+ +| availability\_zone | availability\_zone\_{index} | string | ++----------------------+-----------------------------------------+------------------+ + +Table 2 Resource Property Parameter Names + +Property: image +~~~~~~~~~~~~~~~ + +Image is an OpenECOMP Orchestration Constant parameter. The image must +be referenced by the Network Cloud Service Provider (NCSP) image name, +with the parameter enumerated in the Heat environment file. + +The parameters must be named *“{vm-type}\_image\_name”* in the VNF. + +Each VM type (e.g., {vm-type}) should have a separate parameter for +images, even if several share the same image. This provides maximum +clarity and flexibility. + +Property: flavor +~~~~~~~~~~~~~~~~ + +Flavor is an OpenECOMP Orchestration Constant parameter. The flavors +must be referenced by the Network Cloud Service Provider (NCSP) flavor +name, with the parameter enumerated in the Heat environment file. + +The parameters must be named *“{vm-type}\_flavor\_name”* for each +*{vm-type}* in the VNF. + +Each VM type should have separate parameters for flavors, even if more +than one VM shares the same flavor. This provides maximum clarity and +flexibility. + +Property: Name +~~~~~~~~~~~~~~ + +Name is an OpenEOMP Orchestration parameter; the value is provided to +the Heat template by OpenECOMP. + +VM names (hostnames) for assignment to VM instances must be passed to +Heat templates either as + +- an array (comma delimited list) for each VM type + +- a set of fixed-index parameters for each VM type instance. + +Each element in the VM Name list should be assigned to successive +instances of that VM type. + +The parameter names must reflect the VM Type (i.e., include the +{vm-type} in the parameter name.) The parameter name format must be one +of the following: + +- If the parameter type is a comma delimited list: {**vm-type**}\_names + +- If the parameter type is a string with a fixed index: + {**vm-type**}\_name\_{**index**} + +If a VNF contains more than three instances of a given {vm-type}, the +CDL form of the parameter name (i.e., *{vm-type}*\ \_names} should be +used to minimize the number of unique parameters defined in the Heat. + +*Examples:* + +.. code-block:: python + + parameters: + {vm-type}\_names: + type: comma\_delimited\_list + description: VM Names for {vm-type} VMs + {vm-type}\_name\_{index}: + type: string + description: VM Name for {vm-type} VM {index} + +*Example (CDL):* + +In this example, the {vm-type} has been defined as “lb” for load +balancer. + +.. code-block:: python + + parameters: + lb\_names: + type: comma\_delimited\_list + description: VM Names for lb VMs + resources: + lb\_0: + type: OS::Nova::Server + properties: + name: { get\_param: [lb\_names, 0] } + ... + + lb\_1: + type: OS::Nova::Server + properties: + name: { get\_param: [lb\_names, 1] } + ... + +**Example (fixed-index):** + +In this example, the {vm-type} has been defined as “lb” for load +balancer. + +.. code-block:: python + + parameters: + lb\_name\_0: + type: string + description: VM Name for lb VM 0 + lb\_name\_1: + type: string + description: VM Name for lb VM 1 + + resources: + lb\_0: + type: OS::Nova::Server + properties: + name: { get\_param: lb\_name\_0 } + ... + + lb\_1: + type: OS::Nova::Server + properties: + name: { get\_param: lb\_name\_1 } + ... + +Property: availability\_zone +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Availability\_zone is an OpenECOMP Orchestration parameter; the value is +provided to the Heat template by OpenECOMP. + +Availability zones must be passed as individual numbered parameters (not +as arrays) so that VNFs with multi-availability zone requirements can +clearly specify that in its parameter definitions. + +The availability zone parameter must be defined as +“availability\_zone\_{index}”, with the {index} starting at zero. + +*Example:* + +In this example, the {vm-type} has been defined as “lb” for load +balancer. + +.. code-block:: python + + parameters: + lb\_names: + type: comma\_delimited\_list + description: VM Names for lb VMs + availability\_zone\_0: + type: string + description: First availability zone ID or Name + + resources: + lb\_0: + type: OS::Nova::Server + properties: + name: { get\_param: [lb\_names, 0] } + availability\_zone: { get\_param: availability\_zone\_0 } + ... + +Resource: OS::Nova::Server - Metadata +------------------------------------- + +This section describes the OpenECOMP Metadata parameters. + +OpenECOMP Heat templates must include the following three parameters +that are used as metadata under the resource OS::Nova:Server: vnf\_id, +vf\_module\_id, vnf\_name + +OpenECOMP Heat templates may include the following parameter that is +used as metadata under the resource OS::Nova:Server: vf\_module\_name. + +These parameters are all classified as OpenECOMP Metadata. + ++---------------------------+------------------+----------------------+ +| Metadata Parameter Name | Parameter Type | Mandatory/Optional | ++===========================+==================+======================+ +| vnf\_id | string | mandatory | ++---------------------------+------------------+----------------------+ +| vf\_module\_id | string | mandatory | ++---------------------------+------------------+----------------------+ +| vnf\_name | string | mandatory | ++---------------------------+------------------+----------------------+ +| vf\_module\_name | string | optional | ++---------------------------+------------------+----------------------+ + + Table 3 OpenECOMP Metadata + +Required Metadata Elements +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The vnf\_id, vf\_module\_id, and vnf\_name metadata elements are +required (must) for *OS::Nova::Server* resources. The metadata +parameters will be used by OpenECOMP to associate the servers with the +VNF instance. + +- vnf\_id + + - *“vnf\_id”* parameter value will be supplied by OpenECOMP. + OpenECOMP generates the UUID that is the vnf\_id and supplies it + to the Heat at orchestration time. + +- vf\_module\_id + + - “\ *vf\_module\_id”* parameter value will be supplied by + OpenECOMP. OpenECOMP generates the UUID that is the vf\_module\_id + and supplies it to the Heat at orchestration time. + +- vnf\_name + + - “\ *vnf\_name”* parameter value will be generated and/or assigned + by OpenECOMP and supplied to the Heat by OpenECOMP at + orchestration time. + +Optional Metadata Elements +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The following metadata element is optional for *OS::Nova::Server* +resources: + +- *vf\_module\_name* + + - The vf\_module\_name is the name of the name of the Heat stack + (e.g., <STACK\_NAME>) in the command “Heat stack-create” (e.g. + Heat stack-create [-f <FILE>] [-e <FILE>] <STACK\_NAME>). The + <STACK\_NAME> needs to be specified as part of the orchestration + process. + + - *“vf\_module\_name”* parameter value, when used, will be supplied + by OpenECOMP to the Heat at orchestration time. The parameter will + be generated and/or assigned by OpenECOMP and supplied to the Heat + by OpenECOMP at orchestration time. + +*Example* + +In this example, the {vm-type} has been defined as “lb” for load +balancer. + +.. code-block:: python + + parameters: + vnf\_name: + type: string + description: Unique name for this VNF instance + vnf\_id: + type: string + description: Unique ID for this VNF instance + vf\_module\_name: + type: string + description: Unique name for this VNF Module instance + vf\_module\_id: + type: string + description: Unique ID for this VNF Module instance + + resources: + lb\_server\_group: + type: OS::Nova::ServerGroup + properties: + name: + str\_replace: + template: VNF\_NAME\_lb\_ServerGroup + params: + VNF\_NAME: { get\_param: VNF\_name } + policies: [ ‘anti-affinity’ ] + + lb\_vm\_0: + type: OS::Nova::Server + properties: + name: { get\_param: lb\_name\_0 } + scheduler\_hints: + group: { get\_resource: lb\_server\_group } + metadata: + vnf\_name: { get\_param: vnf\_name } + vnf\_id: { get\_param: vnf\_id } + vf\_module\_name: { get\_param: vf\_module\_name } + vf\_module\_id: { get\_param: vf\_module\_id } + ... + +Resource: OS::Neutron::Port - Parameters +---------------------------------------- + +The following four OS::Neutron::Port Resource Property Parameters must +adhere to the OpenECOMP parameter naming convention. + +- network + +- subnet + +- fixed\_ips + +- allowed\_address\_pairs + +These four parameters reference a network, which maybe an external +network or an internal network. Thus the parameter will include +{network-role} in its name. + +When the parameter references an external network, the parameter is an +OpenECOMP Orchestration Parameter. The parameter value must be supplied +by OpenECOMP. The parameters must adhere to the OpenECOMP parameter +naming convention. + ++---------------------------+-----------------------------------------------+------------------+ +| OS::Neutron::Port | ++===========================+===============================================+==================+ +| Property | Parameter Name for External Networks | Parameter Type | ++---------------------------+-----------------------------------------------+------------------+ +| Network | {network-role}\_net\_id | string | ++---------------------------+-----------------------------------------------+------------------+ +| | {network-role}\_net\_name | string | ++---------------------------+-----------------------------------------------+------------------+ +| Subnet | {network-role}\_subnet\_id | string | ++---------------------------+-----------------------------------------------+------------------+ +| | {network-role}\_v6\_subnet\_id | string | ++---------------------------+-----------------------------------------------+------------------+ +| fixed\_ips | {vm-type}\_{network-role}\_ip\_{index} | string | ++---------------------------+-----------------------------------------------+------------------+ +| | {vm-type}\_{network-role}\_ips | CDL | ++---------------------------+-----------------------------------------------+------------------+ +| | {vm-type}\_{network-role}\_v6\_ip\_{index} | string | ++---------------------------+-----------------------------------------------+------------------+ +| | {vm-type}\_{network-role}\_v6\_ips | CDL | ++---------------------------+-----------------------------------------------+------------------+ +| allowed\_address\_pairs | {vm-type}\_{network-role}\_floating\_ip | string | ++---------------------------+-----------------------------------------------+------------------+ +| | {vm-type}\_{network-role}\_floating\_v6\_ip | string | ++---------------------------+-----------------------------------------------+------------------+ +| | {vm-type}\_{network-role}\_ip\_{index} | string | ++---------------------------+-----------------------------------------------+------------------+ +| | {vm-type}\_{network-role}\_ips | CDL | ++---------------------------+-----------------------------------------------+------------------+ +| | {vm-type}\_{network-role}\_v6\_ip\_{index} | string | ++---------------------------+-----------------------------------------------+------------------+ +| | {vm-type}\_{network-role}\_v6\_ips | CDL | ++---------------------------+-----------------------------------------------+------------------+ + +Table 4 Port Resource Property Parameters (External Networks) + +When the parameter references an internal network, the parameter is a +VNF Orchestration Parameters. The parameter value(s) must be supplied +either via an output statement(s) in the base module (i.e., OpenECOMP +Base Template Output Parameters) or be enumerated in the environment +file. The parameters must adhere to the following parameter naming +convention. + ++---------------------------+----------------------------------------------------+------------------+ +| OS::Neutron::Port | ++===========================+====================================================+==================+ +| Property | Parameter Name for Internal Networks | Parameter Type | ++---------------------------+----------------------------------------------------+------------------+ +| Network | int\_{network-role}\_net\_id | string | ++---------------------------+----------------------------------------------------+------------------+ +| | int\_{network-role}\_net\_name | string | ++---------------------------+----------------------------------------------------+------------------+ +| Subnet | int\_{network-role}\_subnet\_id | string | ++---------------------------+----------------------------------------------------+------------------+ +| | Int\_{network-role}\_v6\_subnet\_id | string | ++---------------------------+----------------------------------------------------+------------------+ +| fixed\_ips | {vm-type}\_int\_{network-role}\_ip\_{index} | string | ++---------------------------+----------------------------------------------------+------------------+ +| | {vm-type}\_int\_{network-role}\_ips | CDL | ++---------------------------+----------------------------------------------------+------------------+ +| | {vm-type}\_int\_{network-role}\_v6\_ip\_{index} | string | ++---------------------------+----------------------------------------------------+------------------+ +| | {vm-type}\_int\_{network-role}\_v6\_ips | CDL | ++---------------------------+----------------------------------------------------+------------------+ +| allowed\_address\_pairs | {vm-type}\_int\_{network-role}\_floating\_ip | string | ++---------------------------+----------------------------------------------------+------------------+ +| | {vm-type}\_int\_{network-role}\_floating\_v6\_ip | string | ++---------------------------+----------------------------------------------------+------------------+ +| | {vm-type}\_int\_{network-role}\_ip\_{index} | string | ++---------------------------+----------------------------------------------------+------------------+ +| | {vm-type}\_int\_{network-role}\_ips | CDL | ++---------------------------+----------------------------------------------------+------------------+ +| | {vm-type}\_int\_{network-role}\_v6\_ip\_{index} | string | ++---------------------------+----------------------------------------------------+------------------+ +| | {vm-type}\_int\_{network-role}\_v6\_ips | CDL | ++---------------------------+----------------------------------------------------+------------------+ + +Table 5 Port Resource Property Parameters (Internal Networks) + +Property: network & subnet +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The property “networks” in the resource OS::Neutron::Port must be +referenced by Neutron Network ID, a UUID value, or by the network name +defined in OpenStack. + +When the parameter is referencing an “external” network, the parameter +must adhere to the following naming convention + +- *“{*\ network-role}\_net\_id”, for the Neutron network ID + +- “{network-role}\_net\_name”, for the network name in OpenStack + +When the parameter is referencing an “internal” network, the parameter +must adhere to the following naming convention. + +- “\ *int\_{network-role}\_net\_id*\ ”, for the Neutron network ID + +- “\ *int\_{network-role}\_net\_name*\ ”, for the network name in + OpenStack + +The property “subnet\_id” must be used if a DHCP IP address assignment +is being requested and the DHCP IP address assignment is targeted at a +specific subnet. + +The property “subnet\_id” should not be used if all IP assignments are +fixed, or if the DHCP assignment does not target a specific subnet + +When the parameter is referencing an “external” network subnet, the +“subnet\_id” parameter must adhere to the following naming convention. + +- “\ *{network-role}\_subnet\_id*\ ” if the subnet is an IPv4 subnet + +- “\ *{network-role}\_v6\_subnet\_id”* if the subnet is an IPv6 subnet + +When the parameter is referencing an “internal” network subnet, the +“subnet\_id” parameter must adhere to the following naming convention. + +- “\ *int\_{network-role}\_subnet\_id*\ ” if the subnet is an IPv4 + subnet + +- “\ *int\_{network-role}\_v6\_subnet\_id*\ ” if the subnet is an IPv6 + subnet + +*Example:* + +.. code-block:: python + + parameters: + {network-role}\_net\_id: + type: string + description: Neutron UUID for the {network-role} network + {network-role}\_net\_name: + type: string + description: Neutron name for the {network-role} network + {network-role}\_subnet\_id: + type: string + description: Neutron subnet UUID for the {network-role} network + {network-role}\_v6\_subnet\_id: + type: string + description: Neutron subnet UUID for the {network-role} network + +*Example:* + +In this example, the {network-role} has been defined as “oam” to +represent an oam network and the {vm-type} has been defined as “lb” for +load balancer. + +.. code-block:: python + + parameters: + oam\_net\_id: + type: string + description: Neutron UUID for the oam network + + resources: + lb\_port\_1: + type: OS::Neutron::Port + network: { get\_param: oam\_net\_id } + +Property: fixed\_ips +~~~~~~~~~~~~~~~~~~~~ + +The property “fixed\_ips” in the resource OS::Neutron::Port must be used +when statically assigning IP addresses. + +An IP address is assigned to a port on a type of VM (i.e., {vm-type}) +that is connected to a type of network (i.e., {network-role}). These two +tags are components of the parameter name. + +When the “fixed\_ips” parameter is referencing an “external” network, +the parameter must adhere to the naming convention below. The parameter +may be a comma delimited list or a string. + +There must be a different parameter name for IPv4 IP addresses and IPv6 +addresses + +- **Comma-delimited list:** Each element in the IP list should be + assigned to successive instances of that VM type on that network. + + - *Format for IPv4 addresses:* {vm-type}\_{network-role}\_ips + + - *Format for IPv6 addresses:* {vm-type}\_{network-role}\_v6\_ips + +- **A set of fixed-index parameters:** In this case, the parameter + should have “\ *type: string*\ ” and must be repeated for every IP + expected for each {vm-type} + {network-role} pair. + + - *Format for IPv4 addresses:* + {vm-type}\_{network-role}\_ip\_{index} + + - *Format for IPv6 addresses:* + {vm-type}\_{network-role}\_v6\_ip\_{index} + +When the “fixed\_ips” parameter is referencing an “internal” network, +the parameter must adhere to the naming convention below. The parameter +may be a comma delimited list or a string. + +There must be a different parameter name for IPv4 IP addresses and IPv6 +addresses + +- **Comma-delimited list:** Each element in the IP list should be + assigned to successive instances of that VM type on that network. + + - *Format for IPv4 addresses:* {vm-type}\_int\_{network-role}\_ips + + - *Format for IPv6 addresses:* + {vm-type}\_int\_{network-role}\_v6\_ips + +- **A set of fixed-index parameters:** In this case, the parameter + should have “\ *type: string*\ ” and must be repeated for every IP + expected for each {vm-type} and {network-role}pair. + + - *Format for IPv4 addresses:* + {vm-type}\_int\_{network-role}\_ip\_{index} + + - *Format for IPv6 addresses:* + {vm-type}\_int\_{network-role}\_v6\_ip\_{index} + +If a VNF contains more than three IP addresses for a given {vm-type} and +{network-role} combination, the CDL form of the parameter name should be +used to minimize the number of unique parameters defined in the Heat. + +*Example (external network)* + +.. code-block:: python + + parameters: + {vm-type}\_{network-role}\_ips: + type: comma\_delimited\_list + description: Fixed IPv4 assignments for {vm-type} VMs on the + {network-role} network + {vm-type}\_{network-role}\_v6\_ips: + type: comma\_delimited\_list + description: Fixed IPv6 assignments for {vm-type} VMs on the + {network-role} network + {vm-type}\_{network-role}\_ip\_{index}: + type: string + description: Fixed IPv4 assignment for {vm-type} VM {index} on the + {network-role} network + {vm-type}\_{network-role}\_v6\_ip\_{index}: + type: string + description: Fixed IPv6 assignment for {vm-type} VM {index} on the + {network-role} network + +*Example (CDL parameter for IPv4 Address Assignments to an external +network):* + +In this example, the {network-role} has been defined as “oam” to +represent an oam network and the {vm-type} has been defined as “db” for +database. + +.. code-block:: python + + parameters: + oam\_net\_id: + type: string + description: Neutron UUID for a oam network + db\_oam\_ips: + type: comma\_delimited\_list + description: Fixed IP assignments for db VMs on the oam network + + resources: + db\_0\_port\_1: + type: OS::Neutron::Port + network: { get\_param: oam\_net\_id } + fixed\_ips: [ { “ip\_address”: {get\_param: [ db\_oam\_ips, 0] + }}] + db\_1\_port\_1: + type: OS::Neutron::Port + network: { get\_param: oam\_net\_id } + fixed\_ips: [ { “ip\_address”: {get\_param: [ db\_oam\_ips, 1] + }}] + +*Example (string parameters for IPv4 Address Assignments to an external +network):* + +In this example, the {network-role} has been defined as “oam” to +represent an oam network and the {vm-type} has been defined as “db” for +database. + +.. code-block:: python + + parameters: + oam\_net\_id: + type: string + description: Neutron UUID for an OAM network + db\_oam\_ip\_0: + type: string + description: First fixed IP assignment for db VMs on the OAM network + db\_oam\_ip\_1: + type: string + description: Second fixed IP assignment for db VMs on the OAM network + + resources: + db\_0\_port\_1: + type: OS::Neutron::Port + network: { get\_param: oam\_net\_id } + fixed\_ips: [ { “ip\_address”: {get\_param: db\_oam\_ip\_0}}] + db\_1\_port\_1: + type: OS::Neutron::Port + network: { get\_param: oam\_net\_id } + fixed\_ips: [ { “ip\_address”: {get\_param: db\_oam\_ip\_1}}] + +Property: allowed\_address\_pairs +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The property “allowed\_address\_pairs” in the resource OS::Neutron::Port +allows the user to specify mac\_address/ip\_address (CIDR) pairs that +pass through a port regardless of subnet. This enables the use of +protocols such as VRRP, which floats an IP address between two instances +to enable fast data plane failover. An “allowed\_address\_pairs” is +unique to a {vm-type} and {network-role} combination. The management of +these IP addresses (i.e. transferring ownership between active and +standby VMs) is the responsibility of the application itself. + +Note that these parameters are *not* intended to represent Neutron +“Floating IP” resources, for which OpenStack manages a pool of public IP +addresses that are mapped to specific VM ports. In that case, the +individual VMs are not even aware of the public IPs, and all assignment +of public IPs to VMs is via OpenStack commands. OpenECOMP does not +support Neutron-style Floating IPs. + +Both IPv4 and IPv6 “allowed\_address\_pairs” addresses are supported. + +If property “allowed\_address\_pairs” is used with an external network, +the parameter name must adhere to the following convention: + +- *Format for IPv4 addresses: {vm-type}\_{network-role}\_floating\_ip* + +- *Format for IPv6 addresses: + {vm-type}\_{network-role}\_floating\_v6\_ip* + +*Example:* + +.. code-block:: python + + parameters: + {vm-type}\_{network-role}\_floating\_ip: + type: string + description: VIP for {vm-type} VMs on the {network-role} network + {vm-type}\_{network-role}\_floating\_v6\_ip: + type: string + description: VIP for {vm-type} VMs on the {network-role} network + +*Example:* + +In this example, the {network-role} has been defined as “oam” to +represent an oam network and the {vm-type} has been defined as “db” for +database. + +.. code-block:: python + + parameters: + db\_oam\_ips: + type: comma\_delimited\_list + description: Fixed IPs for db VMs on the oam network + db\_oam\_floating\_ip: + type: string + description: Floating IP for db VMs on the oam network + resources: + db\_0\_port\_0: + type: OS::Neutron::Port + network: { get\_param: oam\_net\_id } + fixed\_ips: [ { “ip\_address”: {get\_param: [db\_oam\_ips,0] }}] + allowed\_address\_pairs: [ + { “ip\_address”: {get\_param: db\_oam\_floating\_ip}}] + db\_1\_port\_0: + type: OS::Neutron::Port + network: { get\_param: oam\_net\_id } + fixed\_ips: [ { “ip\_address”: {get\_param: [db\_oam\_ips,1] }}] + allowed\_address\_pairs: [ + { “ip\_address”: {get\_param: db\_oam\_floating\_ip}}] + +If property “allowed\_address\_pairs” is used with an internal network, +the parameter name should adhere to the following convention: + +- *Format for IPv4 addresses: + {vm-type}\_int\_{network-role}\_floating\_ip* + +- *Format for IPv6 addresses: + {vm-type}\_int\_{network-role}\_floating\_v6\_ip* + +Using the parameter *{vm-type}\_{network-role}\_floating\_ip* or +*{vm-type}\_{network-role}\_floating\_v6\_ip* provides only one floating +IP per Vm-type{vm-type} and {network-role} pair. If there is a need for +multiple floating IPs (e.g., Virtual IPs (VIPs)) for a given {vm-type} +and {network-role} combination within a VNF, then the parameter names +defined for the “fixed\_ips” should be used with the +“allowed\_address\_pairs” property. The examples below illustrate this. + +Below example reflects two load balancer pairs in a single VNF. Each +pair has one VIP. + +*Example: A VNF has four load balancers. Each pair has a unique VIP.* + +*Pair 1:* lb\_0 and lb\_1 share a unique VIP + +*Pair 2:* lb\_2 and lb\_3 share a unique VIP + +In this example, the {network-role} has been defined as “oam” to +represent an oam network and the {vm-type} has been defined as “lb” for +load balancer. + +.. code-block:: python + + resources: + lb\_0\_port\_0: + type: OS::Neutron::Port + network: { get\_param: oam\_net\_id } + fixed\_ips: [ { “ip\_address”: {get\_param: [lb\_oam\_ips,0] }}] + allowed\_address\_pairs: [{ “ip\_address”: {get\_param: [lb\_oam\_ips,2] }}] + + lb\_1\_port\_0: + type: OS::Neutron::Port + network: { get\_param: oam\_net\_id } + fixed\_ips: [ { “ip\_address”: {get\_param: [lb\_oam\_ips,1] }}] + allowed\_address\_pairs: [{ “ip\_address”: {get\_param: [lb\_oam\_ips,2] }}] + + lb\_2\_port\_0: + type: OS::Neutron::Port + network: { get\_param: oam\_net\_id } + fixed\_ips: [ { “ip\_address”: {get\_param: [lb\_oam\_ips,3] }}] + allowed\_address\_pairs: [{ “ip\_address”: {get\_param: [lb\_oam\_ips,5] }}] + + lb\_3\_port\_0: + type: OS::Neutron::Port + network: { get\_param: oam\_net\_id } + fixed\_ips: [ { “ip\_address”: {get\_param: [lb\_oam\_ips,4] }}] + allowed\_address\_pairs: [{ “ip\_address”: {get\_param: [lb\_oam\_ips,5] }}] + +Below example reflects a single app VM pair within a VNF with two VIPs: + +*Example: A VNF has two load balancers. The pair of load balancers share +two VIPs.* + +In this example, the {network-role} has been defined as “oam” to +represent an oam network and the {vm-type} has been defined as “lb” for +load balancer. + +.. code-block:: python + + resources: + lb\_0\_port\_0: + type: OS::Neutron::Port + network: { get\_param: oam\_net\_id } + fixed\_ips: [ { “ip\_address”: {get\_param: [lb\_oam\_ips,0] }}] + allowed\_address\_pairs: [{ "ip\_address": {get\_param: [lb\_oam\_ips,2] }, {get\_param: [lb\_oam\_ips,3] }}] + + lb\_1\_port\_0: + type: OS::Neutron::Port + network: { get\_param: oam\_net\_id } + fixed\_ips: [ { “ip\_address”: {get\_param: [lb\_oam\_ips,1] }}] + allowed\_address\_pairs: [{ "ip\_address": {get\_param: [lb\_oam\_ips,2] }, {get\_param: [lb\_oam\_ips,3] }}] + +As a general rule, provide the fixed IPs for the VMs indexed first in +the CDL and then the VIPs as shown in the examples above. + +Resource Property: name +----------------------- + +The parameter naming standard for the resource OS::Nova::Server has been +defined in Section 4.3.3. This section describes how the name property +of all other resources must be defined. + +Heat templates must use the Heat “str\_replace” function in conjunction +with the OpenECOMP supplied metadata parameter *vnf\_name* or +*vnf\_module\_id* to generate a unique name for each VNF instance. This +prevents the use of unique parameters values for resource “name” +properties to be enumerated in a per instance environment file. + +Note that + +- In most cases, only the use of the vnf\_name is necessary to create a + unique name + +- the Heat pseudo parameter 'OS::stack\_name’ can also be used in the + ‘str\_replace’ construct to generate a unique name when the vnf\_name + does not provide uniqueness + +.. code-block:: python + + type: OS::Cinder::Volume + properities: + name: + str\_replace: + template: VF\_NAME\_STACK\_NAME\_oam\_volume + params: + VF\_NAME: { get\_param: vnf\_name } + STACK\_NAME: { get\_param: 'OS::stack\_name' } + + type: OS::Neutron::SecurityGroup + properties: + description: Security Group of Firewall + name: + str\_replace: + template: VNF\_NAME\_Firewall\_SecurityGroup + params: + VNF\_NAME: { get\_param: vnf\_name } + +Output Parameters +----------------- + +OpenECOMP defines three type of Output Parameters. + +Base Template Output Parameters: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The base template output parameters are available for use as input +parameters in all add-on modules. The add-on modules may (or may not) +use these parameters. + +Volume Template Output Parameters: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The volume template output parameters are only available only for the +module (base or add on) that the volume is associated with. + +Predefined Output Parameters +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +OpenECOMP currently defines one predefined output parameter. + +OAM Management IP Addresses +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Many VNFs will have a management interface for application controllers +to interact with and configure the VNF. Typically, this will be via a +specific VM that performs a VNF administration function. The IP address +of this interface must be captured and inventoried by OpenECOMP. This +might be a VIP if the VNF contains an HA pair of management VMs, or may +be a single IP address assigned to one VM. + +The Heat template may define either (or both) of the following Output +parameters to identify the management IP address. + +- *oam\_management\_v4\_address* + +- *oam\_management\_v6\_address* + +*Notes*: + +- The Management IP Address should be defined only once per VNF, so it + would only appear in one Module template + +- If a fixed IP for the admin VM is passed as an input parameter, it + may be echoed in the output parameters + +- If the IP for the admin VM is obtained via DHCP, it may be obtained + from the resource attributes + +*Example:* + +.. code-block:: python + + resources: + admin\_server: + type: OS::Nova::Server + properties: + networks: + - network: {get\_param: oam\_net\_id } + ... + + Outputs: + oam\_management\_v4\_address: + value: {get\_attr: [admin\_server, networks, {get\_param: oam\_net\_id}, 0] } + +Heat Template Constructs +------------------------ + +External References +------------------- + +Heat templates *should not* reference any HTTP-based resource +definitions, any HTTP-based nested configurations, or any HTTP-based +environment files. + +- During orchestration, OpenECOMP *should not* retrieve any such + resources from external/untrusted/unknown sources. + +- VNF images should not contain such references in user-data or other + configuration/operational scripts that are specified via Heat or + encoded into the VNF image itself. + +*Note:* HTTP-based references are acceptable if the HTTP-based reference +is accessing information with the VM private/internal network. + +Heat Files Support (get\_file) +------------------------------ + +Heat Templates may contain the inclusion of text files into Heat +templates via the Heat “get\_file” directive. This may be used, for +example, to define a common “user-data” script, or to inject files into +a VM on startup via the “personality” property. + +Support for Heat Files is subject to the following limitations: + +- The ‘get\_files’ targets must be referenced in Heat templates by file + name, and the corresponding files should be delivered to OpenECOMP + along with the Heat templates. + + - URL-based file retrieval must not be used; it is not supported. + +- The included files must have unique file names within the scope of + the VNF. + +- OpenECOMP does not support a directory hierarchy for included files. + + - All files must be in a single, flat directory per VNF. + +- Included files may be used by all Modules within a given VNF. + +- get\_file directives may be used in both non-nested and nested + templates + +Use of Heat ResourceGroup +------------------------- + +The *OS::Heat::ResourceGroup* is a useful Heat element for creating +multiple instances of a given resource or collection of resources. +Typically it is used with a nested Heat template, to create, for +example, a set of identical *OS::Nova::Server* resources plus their +related *OS::Neutron::Port* resources via a single resource in a master +template. + +*ResourceGroup* may be used in OpenECOMP to simplify the structure of a +Heat template that creates multiple instances of the same VM type. +However, there are important caveats to be aware of. + +*ResourceGroup* does not deal with structured parameters +(comma-delimited-list and json) as one might typically expect. In +particular, when using a list-based parameter, where each list element +corresponds to one instance of the *ResourceGroup*, it is not possible +to use the intrinsic “loop variable” %index% in the *ResourceGroup* +definition. + +For instance, the following is **not** valid Heat for a *ResourceGroup*: + +.. code-block:: python + + type: OS::Heat::ResourceGroup + resource: + type: my\_nested\_vm\_template.yaml + properties: + name: {get\_param: [vm\_name\_list, %index%]} + +Although this appears to use the nth entry of the *vm\_name\_list* list +for the nth element of the *ResourceGroup*, it will in fact result in a +Heat exception. When parameters are provided as a list (one for each +element of a *ResourceGroup*), you must pass the complete parameter to +the nested template along with the current index as separate parameters. + +Below is an example of an **acceptable** Heat Syntax for a +*ResourceGroup*: + +.. code-block:: python + + type: OS::Heat::ResourceGroup + resource: + type: my\_nested\_vm\_template.yaml + properties: + names: {get\_param: vm\_name\_list} + index: %index% + +You can then reference within the nested template as: + +{ get\_param: [names, {get\_param: index} ] } + +Note that this is workaround has very important limitations. Since the +entire list parameter is passed to the nested template, any change to +that list (e.g., adding an additional element) will cause Heat to treat +the entire parameter as updated within the context of the nested +template (i.e., for each *ResourceGroup* element). As a result, if +*ResourceGroup* is ever used for scaling (e.g., increment the count and +include an additional element to each list parameter), Heat will often +rebuild every existing element in addition to adding the “deltas”. For +this reason, use of *ResourceGroup* for scaling in this manner is not +supported. + +Key Pairs +--------- + +When Nova Servers are created via Heat templates, they may be passed a +“keypair” which provides an ssh key to the ‘root’ login on the newly +created VM. This is often done so that an initial root key/password does +not need to be hard-coded into the image. + +Key pairs are unusual in OpenStack, because they are the one resource +that is owned by an OpenStack User as opposed to being owned by an +OpenStack Tenant. As a result, they are usable only by the User that +created the keypair. This causes a problem when a Heat template attempts +to reference a keypair by name, because it assumes that the keypair was +previously created by a specific OpenECOMP user ID. + +When a keypair is assigned to a server, the SSH public-key is +provisioned on the VMs at instantiation time. They keypair itself is not +referenced further by the VM (i.e. if the keypair is updated with a new +public key, it would only apply to subsequent VMs created with that +keypair). + +Due to this behavior, the recommended usage of keypairs is in a more +generic manner which does not require the pre-requisite creation of a +keypair. The Heat should be structured in such a way as to: + +- Pass a public key as a parameter value instead of a keypair name + +- Create a new keypair within the VNF Heat templates (in the base + module) for use within that VNF + +By following this approach, the end result is the same as pre-creating +the keypair using the public key – i.e., that public key will be +provisioned in the new VM. However, this recommended approach also makes +sure that a known public key is supplied (instead of having OpenStack +generate a public/private pair to be saved and tracked outside of +OpenECOMP). It also removes any access/ownership issues over the created +keypair. + +The public keys may be enumerated as a VNF Orchestration Constant in the +environment file (since it is public, it is not a secret key), or passed +at run-time as an instance-specific parameters. OpenECOMP will never +automatically assign a public/private key pair. + +*Example (create keypair with an existing ssh public-key for {vm-type} +of lb (for load balancer)):* + +.. code-block:: python + + parameters: + vnf\_name: + type: string + ssh\_public\_key: + type: string + resources: + my\_keypair: + type: OS::Nova::Keypair + properties: + name: + str\_replace: + template: VNF\_NAME\_key\_pair + params: + VNF\_NAME: { get\_param: vnf\_name } + public\_key: {get\_param: lb\_ssh\_public\_key} + save\_private\_key: false + +Security Groups +--------------- + +OpenStack allows a tenant to create Security groups and define rules +within the security groups. + +Security groups, with their rules, may either be created in the Heat +template or they can be pre-created in OpenStack and referenced within +the Heat template via parameter(s). There can be a different approach +for security groups assigned to ports on internal (intra-VNF) networks +or external networks (inter-VNF). Furthermore, there can be a common +security group across all VMs for a specific network or it can vary by +VM (i.e., {vm-type}) and network type (i.e., {network-role}). + +Anti-Affinity and Affinity Rules +-------------------------------- + +Anti-affinity or affinity rules are supported using normal OpenStack +*“OS::Nova::ServerGroup”* resources. Separate ServerGroups are typically +created for each VM type to prevent them from residing on the same host, +but they can be applied to multiple VM types to extend the +affinity/anti-affinity across related VM types as well. + +*Example:* + +In this example, the {network-role} has been defined as “oam” to +represent an oam network and the {vm-type} have been defined as “lb” for +load balancer and “db” for database. + +.. code-block:: python + + resources: + db\_server\_group: + type: OS::Nova::ServerGroup + properties: + name: + str\_replace: + params: + $vnf\_name: {get\_param: vnf\_name} + template: $vnf\_name-server\_group1 + policies: + - *anti-affinity* + + lb\_server\_group: + type: OS::Nova::ServerGroup + properties: + name: + str\_replace: + params: + $vnf\_name: {get\_param: vnf\_name} + template: $vnf\_name-server\_group2 + policies: + - *affinity* + + *db\_0:* + *type: OS::Nova::Server* + *properties:* + *...* + scheduler\_hints: + group: {get\_param: db\_server\_group} + + db\_1: + type: OS::Nova::Server + properties: + ... + scheduler\_hints: + group: {get\_param: db\_server\_group} + + lb\_0: + type: OS::Nova::Server + properties: + ... + scheduler\_hints: + group: {get\_param: lb\_server\_group}
\ No newline at end of file diff --git a/docs/Chapter7.rst b/docs/Chapter7.rst index e2a7c39..e50b074 100644 --- a/docs/Chapter7.rst +++ b/docs/Chapter7.rst @@ -2,6 +2,1091 @@ ===================================== a. Service Design -#. VNF On-boarding and package management -#. Configuration Management -#. Monitoring & Management +================== + +b. VNF On-boarding and package management +========================================== + +Design Definition +================= + +The ONAP Design Time Framework provides the ability to design NFV +resources including VNFs, Services, and products. The vendor must +provide VNF packages that include a rich set of recipes, management and +functional interfaces, policies, configuration parameters, and +infrastructure requirements that can be utilized by the ONAP Design +module to onboard and catalog these resources. Initially this +information may be provided in documents, but in the near future a +method will be developed to automate as much of the transfer of data as +possible to satisfy its long term requirements. + +The current VNF Package Requirement is based on a subset of the +Requirements contained in the ETSI Document: ETSI GS NFV-MAN 001 v1.1.1 +and GS NFV IFA011 V0.3.0 (2015-10) - Network Functions Virtualization +(NFV), Management and Orchestration, VNF Packaging Specification. + +Table 1. VNF Package + ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| **Principle** | **Description** | **Type** | **ID#** | ++==========================+===================================================================================================================================================================================================================================================================================================================================================================================================================+============+============+ +| Resource | The VNF Vendor must provide a Manifest File that contains a list of all the components in the VNF package. | Must | 10010 | +| | | | | +| Description | | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The package must include VNF Identification Data to uniquely identify the resource for a given Vendor. The identification data must include: an identifier for the VNF, the name of the VNF as was given by the VNF Vendor, VNF description, VNF Vendor, and version. | Must | 10020 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide documentation describing VNF Management APIs. The document must include information and tools for: | Must | 10030 | +| | | | | +| | - ONAP to deploy and configure (initially and ongoing) the VNF application(s) (e.g., NETCONF APIs). Includes description of configurable parameters for the VNF and whether the parameters can be configured after VNF instantiation. | | | +| | | | | +| | - ONAP to monitor the health of the VNF (conditions that require healing and/or scaling responses). Includes a description of: | | | +| | | | | +| | - Parameters that can be monitored for the VNF and event records (status, fault, flow, session, call, control plane, etc.) generated by the VNF after instantiation. | | | +| | | | | +| | - Runtime lifecycle events and related actions (e.g., control responses, tests) which can be performed for the VNF. | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF package must include documentation describing VNF Functional APIs that are utilized to build network and application services. This document describes the externally exposed functional inputs and outputs for the VNF, including interface format and protocols supported. | Must | 10040 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide documentation describing VNF Functional Capabilities that are utilized to operationalize the VNF and compose complex services. | Must | 10050 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide information regarding any dependency (e.g., affinity, anti-affinity) with other VNFs and resources. | Must | 10060 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Resource | The VNF Vendor must support and provide artifacts for configuration management using at least one of the following technologies: | Must | 10070 | +| | | | | +| Configuration | - Netconf/YANG | | | +| | | | | +| | - Chef | | | +| | | | | +| | - Ansible | | | +| | | | | +| | Note: The requirements for Netconf/YANG, Chef, and Ansible protocols are provided separately and must be supported only if the corresponding protocol option is provided by the vendor. | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | **Configuration Management via Netconf/YANG** | Must | 10071 | +| | | | | +| | The VNF Vendor must provide a Resource/Device YANG model as a foundation for creating the YANG model for configuration. This will include VNF attributes/parameters and valid values/attributes configurable by policy. | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | **Configuration Management via Chef** | Must | 10072 | +| | | | | +| | - VNF Vendor must provide cookbooks to be loaded on the appropriate Chef Server. | | | +| | | | | +| | - The VNF Vendor is required to provide a JSON file for each supported action for the VNF. The JSON file must contain key value pairs with all relevant values populated with sample data that illustrates its usage. The fields and their description are defined in Appendix A. | | | +| | | | | +| | Note: Chef support in ONAP is not currently available and planned for 4Q 2017. | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | **Configuration Management via Ansible** | Must | 10073 | +| | | | | +| | - VNF Vendor must provide playbooks to be loaded on the appropriate Ansible Server. | | | +| | | | | +| | - The VNF Vendor is required to provide a JSON file for each supported action for the VNF. The JSON file must contain key value pairs with all relevant values populated with sample data that illustrates its usage. The fields and their description are defined in Appendix B. | | | +| | | | | +| | Note: Ansible support in ONAP is not currently available and planned for 4Q 2017. | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Package must include configuration scripts for boot sequence and configuration. | Must | 10080 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide configurable parameters (if unable to conform to YANG model) including VNF attributes/parameters and valid values, dynamic attributes and cross parameter dependencies (e.g., customer provisioning data). | Must | 10090 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Resource | The VNF Vendor must provide documentation for the VNF Policy Description to manage the VNF runtime lifecycle. The document must include a description of how the policies (conditions and actions) are implemented in the VNF. | Must | 10100 | +| | | | | +| Control Loop | | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Package must include documentation describing the fault, performance, capacity events/alarms and other event records that are made available by the VNF. The document must include: | Must | 10110 | +| | | | | +| | - A unique identification string for the specific VNF, a description of the problem that caused the error, and steps or procedures to perform Root Cause Analysis and resolve the issue. | | | +| | | | | +| | - All events, severity level (e.g., informational, warning, error) and descriptions including causes/fixes if applicable for the event. | | | +| | | | | +| | - All events (fault, measurement for VNF Scaling, Syslogs, State Change and Mobile Flow), that need to be collected at each VM, VNFC (defined in *VNF Guidelines for Network Cloud and ONAP*) and for the overall VNF. | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide an XML file that contains a list of VNF error codes, descriptions of the error, and possible causes/corrective action. | Must | 10120 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Provide documentation describing all parameters that are available to monitor the VNF after instantiation (includes all counters, OIDs, PM data, KPIs, etc.) that must be collected for reporting purposes. The documentation must include a list of: | Must | 10130 | +| | | | | +| | - Monitoring parameters/counters exposed for virtual resource management and VNF application management. | | | +| | | | | +| | - KPIs and metrics that need to be collected at each VM for capacity planning and performance management purposes. | | | +| | | | | +| | - The monitoring parameters must include latencies, success rates, retry rates, load and quality (e.g., DPM) for the key transactions/functions supported by the VNF and those that must be exercised by the VNF in order to perform its function. | | | +| | | | | +| | - For each KPI, provide lower and upper limits. | | | +| | | | | +| | - When relevant, provide a threshold crossing alert point for each KPI and describe the significance of the threshold crossing. | | | +| | | | | +| | - For each KPI, identify the suggested actions that need to be performed when a threshold crossing alert event is recorded. | | | +| | | | | +| | - Describe any requirements for the monitoring component of tools for Network Cloud automation and management to provide these records to components of the VNF. | | | +| | | | | +| | - When applicable, provide calculators needed to convert raw data into appropriate reporting artifacts. | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Package must include documentation describing supported VNF scaling capabilities and capacity limits (e.g., number of users, bandwidth, throughput, concurrent calls). | Must | 10140 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Package must include documentation describing the characteristics for the VNF reliability and high availability. | Must | 10150 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF vendor must provide an artifact per VNF that contains all of the VNF Event Records supported. The artifact should include reference to the specific release of the VNF Event Stream Common Event Data Model document it is based on. ( `AT&T Service Specification; Service: VES Event Listener <https://github.com/att/evel-test-collector/tree/master/docs/att_interface_definition>`__) | Must | 10151 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Compute, | The VNF Package must include VNF topology that describes basic network and application connectivity internal and external to the VNF including Link type, KPIs, Bandwidth, latency, jitter, QoS (if applicable) for each interface. | Must | 10160 | +| | | | | +| Network, | | | | +| | | | | +| Storage | | | | +| | | | | +| Requirements | | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Package must include VM requirements via a Heat template that provides the necessary data for: | Must | 10170 | +| | | | | +| | - VM specifications for all VNF components - for hypervisor, CPU, memory, storage. | | | +| | | | | +| | - Network connections, interface connections, internal and external to VNF. | | | +| | | | | +| | - High availability redundancy model. | | | +| | | | | +| | - Scaling/growth VM specifications. | | | +| | | | | +| | Note: Must comply with the *VNF Heat Template Requirements for ONAP*. | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide the binaries and images needed to instantiate the VNF (VNF and VNFC images). | Must | 10180 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must describe scaling capabilities to manage scaling characteristics of the VNF. | Must | 10190 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Testing | The VNF Package must include documentation describing the tests that were conducted by the Vendor and the test results. | Must | 10200 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide their testing scripts to support testing. | Must | 10210 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide software components that can be packaged with/near the VNF, if needed, to simulate any functions or systems that connect to the VNF system under test. This component is necessary only if the existing testing environment does not have the necessary simulators. | Must | 10220 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Licensing Requirements | VNFs must provide metrics (e.g., number of sessions, number of subscribers, number of seats, etc.) to ONAP for tracking every license. | Must | 10230 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Contract shall define the reporting process and the available reporting tools. The vendor will have to agree to the process that can be met by Service Provider reporting infrastructure. | Must | 10240 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | VNF vendors shall enumerate all of the open source licenses their VNF(s) incorporate. | Must | 10250 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Audits of Service Provider’s business must not be required. | Must | 10260 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Vendor functions and metrics that require additional infrastructure such as a vendor license server for deployment shall not be supported. | Must | 10270 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Provide clear measurements for licensing purposes to allow automated scale up/down by the management system. | Must | 10280 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The vendor must provide the ability to scale up a vendor supplied product during growth and scale down a vendor supplied product during decline without “real-time” restrictions based upon vendor permissions. | Must | 10290 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | A universal license key must be provided per VNF to be used as needed by services (i.e., not tied to a VM instance) as the recommended solution. The vendor may provide pools of Unique VNF License Keys, where there is a unique key for each VNF instance as an alternate solution. Licensing issues should be resolved without interrupting in-service VNFs. | Must | 10300 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must support the metadata about licenses (and their applicable entitlements) as defined in this document for VNF software, and any license keys required to authorize use of the VNF software. This metadata will be used to facilitate onboarding the VNF into the ONAP environment and automating processes for putting the licenses into use and managing the full lifecycle of the licenses. | Must | 10310 | +| | | | | +| | The details of this license model are described in Appendix C. | | | +| | | | | +| | Note: License metadata support in ONAP is not currently available and planned for 1Q 2018. | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ + + +c. Configuration Management +=========================== + +ONAP interacts directly with VNFs through its Network and Application +Adapters to perform configuration activities within NFV environment. +These activities include service and resource +configuration/reconfiguration, automated scaling of resources, service +and resource removal to support runtime lifecycle management of VNFs and +services. The Adapters employ a model driven approach along with +standardized APIs provided by the VNF developers to configure resources +and manage their runtime lifecycle. + +NETCONF Standards and Capabilities +---------------------------------- + +ONAP Controllers and their Adapters utilize device YANG model and +NETCONF APIs to make the required changes in the VNF state and +configuration. The VNF providers must provide the Device YANG model and +NETCONF server supporting NETCONF APIs to comply with target ONAP and +industry standards. + +**Table 2. VNF Configuration via NETCONF** + ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| **Principle** | **Description** | **Type** | **ID #** | ++=================+=======================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+============+============+ +| Configuration | Virtual Network functions (VNFs) must include a NETCONF server enabling runtime configuration and lifecycle management capabilities. The NETCONF server embedded in VNFs shall provide a NETCONF interface fully defined by supplied YANG models. | Must | 11010 | +| | | | | +| Management | | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| NETCONF | NETCONF server connection parameters shall be configurable during virtual machine instantiation through Heat templates where SSH keys, usernames, passwords, SSH service and SSH port numbers are Heat template parameters. | Must | 11020 | +| | | | | +| Server | | | | +| | | | | +| Requirements | | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Following protocol operations must be implemented: | Must | 11030 | +| | | | | +| | **close-session()**- Gracefully close the current session. | | | +| | | | | +| | **commit(confirmed, confirm-timeout)** - Commit candidate configuration datastore to the running configuration. | | | +| | | | | +| | **discard-changes()** - Revert the candidate configuration datastore to the running configuration | | | +| | | | | +| | **edit-config(target, default-operation, test-option, error-option, config)** - Edit the target configuration datastore by merging, replacing, creating, or deleting new config elements. | | | +| | | | | +| | **get(filter)** - Retrieve (a filtered subset of) the running configuration and device state information. This should include the list of VNF supported schemas. | | | +| | | | | +| | **get-config(source, filter)** - Retrieve a (filtered subset of a) configuration from the configuration datastore source. | | | +| | | | | +| | **kill-session(session)** - Force the termination of **session**. | | | +| | | | | +| | **lock(target)** - Lock the configuration datastore target. | | | +| | | | | +| | **unlock(target)** - Unlock the configuration datastore target. | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Following protocol operations should be implemented: | Should | 11040 | +| | | | | +| | **copy-config(target, source) -** Copy the content of the configuration datastore source to the configuration datastore target. | | | +| | | | | +| | **delete-config(target) -** Delete the named configuration datastore target. | | | +| | | | | +| | **get-schema(identifier, version, format) -** Retrieve the YANG schema. | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | All configuration data shall be editable through a NETCONF <*edit-config*> operation. Proprietary NETCONF RPCs that make configuration changes are not sufficient. | Must | 11050 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | By default, the entire configuration of the VNF must be retrievable via NETCONF's <get-config> and <edit-config>, independently of whether it was configured via NETCONF or other mechanisms. | Must | 11060 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The **:partial-lock** and **:partial-unlock** capabilities, defined in RFC 5717 must be supported. This allows multiple independent clients to each write to a different part of the <running> configuration at the same time. | Must | 11070 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The **:rollback-on-error** value for the <error-option> parameter to the <edit-config> operation must be supported. If any error occurs during the requested edit operation, then the target database (usually the running configuration) will be left affected. This provides an 'all-or-nothing' edit mode for a single <edit-config> request. | Must | 11080 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The server must support the **:startup** capability. It will allow the running configuration to be copied to this special database. It can also be locked and unlocked. | Must | 11090 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The **:url** value must be supported to specify protocol operation source and target parameters. The capability URI for this feature will indicate which schemes (e.g., file, https, sftp) that the server supports within a particular URL value. The 'file' scheme allows for editable local configuration databases. The other schemes allow for remote storage of configuration databases. | Must | 11100 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | At least one of the capabilities **:candidate** or **:writable-running** must be implemented. If both **:candidate** and **:writable-running** are provided then two locks should be supported. | Must | 11110 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The server must fully support the XPath 1.0 specification for filtered retrieval of configuration and other database contents. The 'type' attribute within the <filter> parameter for <get> and <get-config> operations may be set to 'xpath'. The 'select' attribute (which contains the XPath expression) will also be supported by the server. A server may support partial XPath retrieval filtering, but it cannot advertise the **:xpath** capability unless the entire XPath 1.0 specification is supported. | Must | 11120 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The **:validate** capability must be implemented. | Must | 11130 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | If **:candidate** is supported, **:confirmed-commit** must be implemented. | Must | 11140 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The **:with-defaults** capability [RFC6243] shall be implemented. | Must | 11150 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Data model discovery and download as defined in [RFC6022] shall be implemented. | Must | 11160 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | NETCONF Event Notifications [RFC5277] should be implemented. | Should | 11170 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | All data models shall be defined in YANG [RFC6020], and the mapping to NETCONF shall follow the rules defined in this RFC. | Must | 11180 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The data model upgrade rules defined in [RFC6020] section 10 should be followed. All deviations from section 10 rules shall be handled by a built-in automatic upgrade mechanism. | Must | 11190 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF must support parallel and simultaneous configuration of separate objects within itself. | Must | 11200 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Locking is required if a common object is being manipulated by two simultaneous NETCONF configuration operations on the same VNF within the context of the same writable running data store (e.g., if an interface parameter is being configured then it should be locked out for configuration by a simultaneous configuration operation on that same interface parameter). | Must | 11210 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Locking must be applied based on the sequence of NETCONF operations, with the first configuration operation locking out all others until completed. | Must | 11220 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | If a VNF needs to lock an object for configuration, the lock must be permitted at the finest granularity to avoid blocking simultaneous configuration operations on unrelated objects (e.g., BGP configuration should not be locked out if an interface is being configured, Entire Interface configuration should not be locked out if a non-overlapping parameter on the interface is being configured). The granularity of the lock must be able to be specified via a restricted or full XPath expression. | Must | 11230 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | All simultaneous configuration operations should guarantee the VNF configuration integrity (e.g., if a change is attempted to the BUM filter rate from multiple interfaces on the same EVC, then they need to be sequenced in the VNF without locking either configuration method out). | Must | 11240 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | To prevent permanent lock-outs, locks must be released: | Must | 11250 | +| | | | | +| | a. when/if a session applying the lock is terminated (e.g., SSH session is terminated) | | | +| | | | | +| | b. when the corresponding <partial-unlock> operation succeeds | | | +| | | | | +| | c. when a user configured timer has expired forcing the NETCONF SSH Session termination (i.e., product must expose a configuration knob for a user setting of a lock expiration timer) | | | +| | | | | +| | Additionally, to guard against hung NETCONF sessions, another NETCONF session should be able to initiate the release of the lock by killing the session owning the lock, using the <kill-session> operation. | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF should support simultaneous <commit> operations within the context of this locking requirements framework. | Must | 11260 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The supplied YANG code and associated NETCONF servers shall support all operations, administration and management (OAM) functions available from the supplier for VNFs. | Must | 11270 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Sub tree filtering must be supported. | Must | 11280 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Heartbeat via a <get> with null filter shall be supported. | Must | 11290 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Get-schema (ietf-netconf-monitoring) must be supported to pull YANG model over session. | Must | 11300 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The supplied YANG code shall be validated using the open source pyang [2]_ program using the following commands: | Must | 11310 | +| | | | | +| | $ pyang --verbose --strict <YANG-file-name(s)> | | | +| | | | | +| | $ echo $! | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The echo command must return a zero value otherwise the validation has failed. | Must | 11320 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The supplier shall demonstrate mounting the NETCONF server on OpenDaylight (client) and: | Must | 11330 | +| | | | | +| | - Modify, update, change, rollback configurations using each configuration data element. | | | +| | | | | +| | - Query each state (non-configuration) data element. | | | +| | | | | +| | - Execute each YANG RPC. | | | +| | | | | +| | - Receive data through each notification statement. | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ + +The following table provides the Yang models that suppliers must +conform, and those where applicable, that suppliers need to use. + +Table 3. YANG Models + ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| **RFC** | **Description** | **Type** | **ID #** | ++================+====================================================================================+============+============+ +| RFC 6020 | YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF) | Must | 12010 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 6022 | YANG module for NETCONF monitoring | Must | 12020 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 6470 | NETCONF Base Notifications | Must | 12030 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 6244 | An Architecture for Network Management Using NETCONF and YANG | Must | 12040 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 6087 | Guidelines for Authors and Reviewers of YANG Data Model Documents | Must | 12050 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| \*\*RFC 6991 | Common YANG Data Types | Should | 12060 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 6536 | NETCONF Access Control Model | Should | 12070 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 7223 | A YANG Data Model for Interface Management | Should | 12080 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 7224 | IANA Interface Type YANG Module | Should | 12090 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 7277 | A YANG Data Model for IP Management | Should | 12100 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 7317 | A YANG Data Model for System Management | Should | 12110 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 7407 | A YANG Data Model for SNMP Configuration | Should | 12120 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ + +The NETCONF server interface shall fully conform to the following +NETCONF RFCs. + +Table 4. NETCONF RFCs + ++------------+--------------------------------------------------------------------+------------+------------+ +| **RFC** | **Description** | **Type** | **ID #** | ++============+====================================================================+============+============+ +| RFC 4741 | NETCONF Configuration Protocol | Must | 12130 | ++------------+--------------------------------------------------------------------+------------+------------+ +| RFC 4742 | Using the NETCONF Configuration Protocol over Secure Shell (SSH) | Must | 12140 | ++------------+--------------------------------------------------------------------+------------+------------+ +| RFC 5277 | NETCONF Event Notification | Must | 12150 | ++------------+--------------------------------------------------------------------+------------+------------+ +| RFC 5717 | Partial Lock Remote Procedure Call | Must | 12160 | ++------------+--------------------------------------------------------------------+------------+------------+ +| RFC 6241 | NETCONF Configuration Protocol | Must | 12170 | ++------------+--------------------------------------------------------------------+------------+------------+ +| RFC 6242 | Using the Network Configuration Protocol over Secure Shell | Must | 12180 | ++------------+--------------------------------------------------------------------+------------+------------+ + +VNF REST APIs +-------------- + +Healthcheck is a command for which no NETCONF support exists. Therefore, +this must be supported using a RESTful interface which we have defined. + +The VNF must provide a REST formatted GET RPCs to support Healthcheck +queries via the GET method over HTTP(s). + +The port number, url, and other authentication information is provided +by the VNF vendor. + +**Table 5. VNF REST APIs** + ++-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| **Principal** | **Description** | **Type** | **ID #** | ++=================+=======================================================================================================================================================================================================================================================================================================================================================================================================+============+============+ +| REST APIs | The HealthCheck RPC, executes a vendor-defined VNF Healthcheck over the scope of the entire VNF (e.g., if there are multiple VNFCs, then run a health check, as appropriate, for all VNFCs). It returns a 200 OK if the test completes. A JSON object is returned indicating state (healthy, unhealthy), scope identifier, time-stamp and one or more blocks containing info and fault information. | Must | 12190 | +| | | | | +| | If the VNF is unable to run the HealthCheck, return a standard http error code and message. | | | +| | | | | +| | Examples: | | | +| | | | | +| | 200 | | | +| | | | | +| | { | | | +| | | | | +| | "identifier": "scope represented", | | | +| | | | | +| | "state": "healthy", | | | +| | | | | +| | "time": "01-01-1000:0000" | | | +| | | | | +| | } | | | +| | | | | +| | 200 | | | +| | | | | +| | { | | | +| | | | | +| | "identifier": "scope represented", | | | +| | | | | +| | "state": "unhealthy", | | | +| | | | | +| | {[ | | | +| | | | | +| | "info": "System threshold exceeded details", | | | +| | | | | +| | "fault": | | | +| | | | | +| | { | | | +| | | | | +| | "cpuOverall": 0.80, | | | +| | | | | +| | "cpuThreshold": 0.45 | | | +| | | | | +| | } | | | +| | | | | +| | ]}, | | | +| | | | | +| | "time": "01-01-1000:0000" | | | +| | | | | +| | } | | | ++-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ + +Chef Standards and Capabilities +------------------------------- + +ONAP will support configuration of VNFs via Chef subject to the +requirements and guidelines defined in this section. + +The Chef configuration management mechanism follows a client-server +model. It requires the presence of a Chef-Client on the VNF that will be +directly managed by a Chef Server. The Chef-client will register with +the appropriate Chef Server and are managed via ‘cookbooks’ and +configuration attributes loaded on the Chef Server which contain all +necessary information to execute the appropriate actions on the VNF via +the Chef-client. + +ONAP will utilize the open source Chef Server, invoke the documented +Chef REST APIs to manage the VNF and requires the use of open source +Chef-Client and Push Jobs Client on the VNF +(https://downloads.chef.io/). + +**Table 6. VNF Configuration via Chef** + ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| **Principle** | **Description** | **Type** | **ID #** | ++============================+===============================================================================================================================================================================================================================================================================================================+============+============+ +| Chef Server Requirements | ONAP will interact with the Chef Server designated to manage a target VNF. ONAP design allows for the VNF to register with the following types of Chef Server [3]_: | Must | 12310 | +| | | | | +| | - **Chef Server hosted by ONAP**: ONAP will provide a Chef Server to manage a VNF. If this choice is used then it is required that the VNF Vendor provide all relevant cookbooks to ONAP to be loaded on the Chef Server. | | | +| | | | | +| | - **Chef Server hosted in Tenant Space**: The Chef Server may also be hosted external to ONAP in tenant space. Same guidelines as ONAP Chef Server apply. In addition, the owner is required to provide appropriate credentials to ONAP in order to interact with the Chef Server. | | | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Chef Client | It is required that as part of the installation process, the chef-client on the VNF be preloaded with validator keys and configuration to register with the designated Chef Server. | Must | 12320 | +| | | | | +| Requirements | | | | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | All the endpoints (VMs) of a VNF that contain chef-clients are required to have routable FQDNs which are used to register with the Chef Server. As part of invoking VNF actions, ONAP will trigger push jobs against FQDNs of endpoints for a VNF, if required. | Must | 12330 | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | It is recommended that each VNF expose a single endpoint that is responsible for all functionality. | May | 12331 | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | It is required that the VNF be installed with | Must | 12340 | +| | | | | +| | - Chef-Client >= 12.0 | | | +| | | | | +| | - Chef push jobs client >= 2.0 | | | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Chef Roles/ | Each VNF Vendor is required to make available for loading on appropriate Chef Server, all relevant Chef artifacts (roles/cookbooks/recipes) required to execute VNF actions requested by ONAP. | Must | 12350 | +| | | | | +| Requirements | | | | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | For each supported VNF action, the VNF Vendor is required to provide a run list of roles/cookbooks/recipes that will perform the desired VNF action in its entirety as specified by ONAP (see Section 3.5 for list of VNF actions and requirements), when triggered by a chef-client run list in JSON file. | Must | 12360 | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Roles/cookbooks/recipes invoked for a VNF action must not contain any instance specific parameters for the VNF. Instead they must accept all necessary instance specific data from the environment or node object attributes. | Must | 12370 | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | It is required that all configurable parameters in the roles, cookbooks and recipes that can be set by ONAP, over-ride any default values. | Must | 12380 | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | It is required that when executing a VNF action, if the chef-client run encounters any critical errors/failures, it update status on the Chef Server appropriately (e.g., via a fail or raise an exception). | Must | 12390 | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | If the VNF action requires the output of a chef-client run be made available (e.g., get running configuration), an attribute, defined as node[‘PushJobOutput’] must be populated with the desired output on all nodes in the push job that execute chef-client run. | Must | 12400 | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | It is recommended that, for actions that change state of the VNF (e.g., configure), the Vendor design appropriate cookbooks that can automatically ‘rollback’ to the original state in case of any errors. | Must | 12410 | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | It is recommended that any chef-client run associated with a VNF action support callback URLs to return information to ONAP upon completion of the chef-client run. | Should | 12420 | +| | | | | +| | - As part of the push job, ONAP will provide two parameters in the environment of the push job JSON object: | | | +| | | | | +| | - ‘RequestId’ a unique Id to be used to identify the request, | | | +| | | | | +| | - ‘CallbackUrl’, the URL to post response back. | | | +| | | | | +| | - If the CallbackUrl field is empty or missing in the push job, then the chef-client run need not post the results back via callback. | | | +| | | | | +| | - If the chef-client run list includes a cookbook/recipe that is callback capable, it is required to, upon completion of the chef-client run, POST back on the callback URL, a JSON object as described in Table A2. | | | +| | | | | +| | - Failure to POST on the Callback Url should not be considered a critical error. That is, if the chef-client successfully completes the VNF action, it should reflect this status on the Chef Server regardless of whether the Callback succeeded or not. | | | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ + +ONAP Chef API Usage +~~~~~~~~~~~~~~~~~~~ + +This section outlines the workflow that ONAP invokes when it receives an +action request against a Chef managed VNF. + +1. When ONAP receives a request for an action for a Chef Managed VNF, it + retrieves the corresponding template (based on **action** and + **VNF)** from its database and sets necessary values in the + “Environment”, “Node” and “NodeList” keys (if present) from either + the payload of the received action or internal data. + +2. If “Environment” key is present in the updated template, it posts the + corresponding JSON dictionary to the appropriate Environment object + REST endpoint on the Chef Server thus updating the Environment + attributes on the Chef Server. + +3. Next, it creates a Node Object from the “Node” JSON dictionary for + all elements listed in the NodeList (using the FQDN to construct the + endpoint) by replicating it [4]_. As part of this process, it will + set the name field in each Node Object to the corresponding FQDN. + These node objects are then posted on the Chef Server to + corresponding Node Object REST endpoints to update the corresponding + node attributes. + +4. If PushJobFlag is set to “True” in the template, ONAP requests a push + job against all the nodes in the NodeList to trigger + chef-client\ **.** It will not invoke any other command via the push + job. ONAP will include a callback URL in the push job request and a + unique Request Id. An example push job posted by ONAP is listed + below: + + { + + "command": "chef-client", + + "run\_timeout": 300, + + "nodes”: [“node1.vnf\_a.onap.com”, “node2.vnf\_a.onap.com”], + + "env": { + + “RequestId”:”8279-abcd-aksdj-19231”, + + “CallbackUrl”:”https://callback.onap:9333” + + }, + + } + +5. If CallbackCapable field in the template is not present or set to + “False” ONAP will poll the Chef Server to check completion status of + the push job. + +6. If “GetOutputFlag” is set to “True” in the template and + CallbackCapable is not set to “True”, ONAP will retrieve any output + from each node where the push job has finished by accessing the Node + Object attribute node[‘PushJobOutput’]. + +Ansible Standards and Capabilities +---------------------------------- + +ONAP will support configuration of VNFs via Ansible subject to the +requirements and guidelines defined in this section. + +Ansible allows agentless management of VMs via execution of ‘playbooks’ +over ssh. The ‘playbooks’ are a structured set of tasks which contain +all the necessary data and execution capabilities to take the necessary +action on one or more target VMs of the VNF. ONAP will utilize the +framework of an Ansible Server that will host and invoke playbooks to +manage VNFs that support Ansible. + +**Table 7. VNF Configuration via Ansible** + ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| **Principle** | **Description** | **Type** | **ID #** | ++===============================+========================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+============+============+ +| Ansible Server Requirements | ONAP will utilize an Ansible server in order to manage VNFs that support Ansible playbooks. We note that Ansible in general does not require the use of a server. However, this framework has been adopted to align with ONAP architecture, ease of management and scalability. | Must | 12510 | +| | | | | +| | All playbooks for the VNF will be hosted on a designated Ansible Server that meets ONAP Ansible API requirements. ONAP design allows for VNFs to be managed by an Ansible Server in any of the two following forms [5]_: | | | +| | | | | +| | - **Ansible Server hosted by ONAP**: ONAP will provide an Ansible Server to manage a VNF. If this choice is used then it is required that the VNF Vendor provide all relevant playbooks to ONAP to be loaded on the Ansible Server. | | | +| | | | | +| | - **Ansible Server hosted in Tenant Space**: Same guidelines as the ONAP Ansible Server. The Ansible Server must meet the ONAP Ansible Server API Interface requirements. | | | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Ansible Client | The endpoints (VMs) of a VNF on which playbooks will be executed must have routable FQDNs that are reachable via the Ansible Server. ONAP will initiate requests to the Ansible Server for invocation of playbooks against these end points [6]_. | Must | 12520 | +| | | | | +| Requirements | | | | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | It is recommended that a VNF typically have a single endpoint. | May | 12521 | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The endpoint VM(s) of a VNF on which an Ansible playbook will be executed is required to have Python >= 2.7. | Must | 12530 | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The endpoint VM(s) must support SSH and allow SSH access to the Ansible server in line with Network Cloud Service Provider guidelines for authentication and access. | Must | 12540 | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Ansible Playbook | An Ansible playbook is a collection of tasks that is executed on the Ansible server (local host) and/or the target VM (s) in order to complete the desired action. Each VNF Vendor is required to make available (or load on VNF Ansible Server) playbooks that conform to the ONAP requirements. | Must | 12550 | +| | | | | +| Requirements | | | | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | It is required that each VNF action be supported by invocation of **one** playbook [7]_. The playbook will be responsible for executing all necessary tasks (as well as calling other playbooks) to complete the request. | Must | 12560 | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | A playbook must not contain any instance specific parameters. It must utilize information from key value pairs that will be provided by the Ansible Server as extra-vars during invocation to execute the desired VNF action. If the playbook requires files, they must also be supplied using the methodology detailed in the Ansible Server API. | Must | 12570 | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The Ansible Server will determine if a playbook invoked to execute a VNF action finished successfully or not using the “PLAY\_RECAP” summary in Ansible log. The playbook will be considered to successfully finish only if the “PLAY RECAP” section at the end of playbook execution output has no unreachable hosts and no failed tasks. Otherwise, the playbook will be considered to have failed. | Must | 12580 | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | VNF vendor must design playbooks to allow Ansible Server to infer failure or success based on the “PLAY\_RECAP” capability. | Must | 12590 | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | If, as part of a VNF action (e.g., audit), a playbook is required to return any VNF information, it must be written to a specific set of text files that will be retrieved and made available by the Ansible Server. The text files must be written in the same directory as the one from which the playbook is being executed. A text file must be created for each host the playbook is run on, with the name ‘<playbook name> <hostname>\_results.txt’ into which any desired output from each respective VM/VNF must be written. | Must | 12600 | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | It is recommended that, for actions that change state of the VNF (e.g., configure), the VNF Vendor design appropriate playbooks that can automatically ‘rollback’ to the original state in case of any errors. | Should | 12610 | +| | | | | +| | NOTE: In case rollback at the playbook level is not supported or possible, vendor shall provide alternative locking mechanism (e.g., for a small VNF the rollback mechanism may rely on workflow to terminate and re-instantiate VNF VMs and then re-run playbook(s)). | | | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ + +ONAP Controller APIs and Behavior +--------------------------------- + +ONAP Controllers support the following operations which act directly +upon the VNF. Most of these utilize the NETCONF interface. There are +additional commands in use but these either act internally on Controller +itself or depend upon network cloud components for implementation. Those +actions do not put any special requirement on the VNF provider. + +The following table summarizes how the VNF must act in response to +commands from ONAP. + +Table 8. ONAP Controller APIs and NETCONF Commands + ++---------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| **Action** | **Description** | **NETCONF Commands** | ++=====================+==================================================================================================================================================================================================================================================================================+===============================================================================================================================================================================================================================+ +| Action | Queries ONAP Controller for the current state of a previously submitted runtime LCM (Lifecycle Management) action. | There is currently no way to check the request status in NETCONF so action status is managed internally by the ONAP controller. | +| | | | +| Status | | | ++---------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Audit, Sync | Compare active (uploaded) configuration against the current configuration in the ONAP controller. Audit returns failure if different. Sync considers the active (uploaded) configuration as the current configuration. | The <get-config> operation is used to retrieve the running configuration from the VNF. | ++---------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Lock, | Returns true when the given VNF has been locked. | There is currently no way to query lock state in NETCONF so VNF locking and unlocking is managed internally by the ONAP controller. | +| | | | +| Unlock, | | | +| | | | +| CheckLock | | | ++---------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Configure, | Configure applies a post-instantiation configuration the target VNF or VNFC. ConfigModify updates only a subset of the total configuration parameters of a VNF. | The <edit-config> operation loads all or part of a specified configuration data set to the specified target database. If there is no <candidate/> database, then the target is the <running/> database. A <commit> follows. | +| | | | +| ConfigModify | | | ++---------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Health | Executes a VNF health check and returns the result. A health check is VNF-specific. | The ONAP health check interface is defined over REST and requires the target VNF to expose a standardized HTTP(S) interface for that purpose. See Section 3.2. | +| | | | +| Check | | | ++---------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| StartApplication, | ONAP requests application to be started or stopped on the VNF or VNFC. These actions do not need to be supported if (1) the application starts automatically after Configure or if the VM’s are started and (2) the application gracefully shuts down if the VM’s are stopped. | These commands have no specific NETCONF RPC action. | +| | | | +| StopApplication | | They can be supported using Ansible or Chef (see Table 9 below). | ++---------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| SoftwareUpload, | Upgrades the target VNF to a new version without interrupting VNF operation. | These commands have no specific NETCONF RPC action. | +| | | | +| LiveUpgrade | | They can be supported using Ansible or Chef (see Table 9 below). | ++---------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Table 9 lists the required Chef and Ansible support for commands from +ONAP. + +Table 9. ONAP Controller APIs and Chef/Ansible Support + ++---------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| **Action** | **Chef** | **Ansible** | ++=====================+==================================================================================================================================================================================================================================================================================================+=========================================================================================================================================================================================================================================================+ +| Action | Not needed. ActionStatus is managed internally by the ONAP controller. | Not needed. ActionStatus is managed internally by the ONAP controller. | +| | | | +| Status | | | ++---------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Audit, Sync | VNF Vendor must provide any necessary roles, cookbooks, recipes to retrieve the running configuration from a VNF and place it in the respective Node Objects ‘PushJobOutput’ attribute of all nodes in NodeList when triggered by a chef-client run. | VNF Vendor must provide an Ansible playbook to retrieve the running configuration from a VNF and place the output on the Ansible server in a manner aligned with playbook requirements listed in this document. | +| | | | +| | The JSON file for this VNF action is required to set “PushJobFlag” to “True” and “GetOutputFlag” to “True”. The “Node” JSON dictionary must have the run list populated with the necessary sequence of roles, cookbooks, recipes. | The PlaybookName must be provided in the JSON file. | +| | | | +| | The Environment and Node values should contain all appropriate configuration attributes. | NodeList must list FQDNs of an example VNF on which to execute playbook. | +| | | | +| | NodeList must list sample FQDNs that are required to conduct a chef-client run for this VNF Action. | | ++---------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Lock, | Not needed. VNF locking and unlocking is managed internally by the ONAP controller. | Not needed. VNF locking and unlocking is managed internally by the ONAP controller. | +| | | | +| Unlock, | | | +| | | | +| CheckLock | | | ++---------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Configure, | VNF Vendor must provide any necessary roles, cookbooks, recipes to apply configuration attributes to the VNF when triggered by a chef-client run. All configurable attributes must be obtained from the Environment and Node objects on the Chef Server. | VNF Vendor must provide an Ansible playbook that can configure the VNF with parameters supplied by the Ansible Server. | +| | | | +| ConfigModify | The JSON file for this VNF action should include all configurable attributes in the Environment and/or Node JSON dictionary. | The PlaybookName must be provided in the JSON file. | +| | | | +| | The “PushJobFlag” must be set to “True”. | The “EnvParameters” and/or “FileParameters” field values should be provided and contain all configurable parameters for the VNF. | +| | | | +| | The “Node” JSON dictionary must have the run list populated with necessary sequence of roles, cookbooks, recipes. This action is not expected to return an output. | NodeList must list FQDNs of an example VNF on which to execute playbook. | +| | | | +| | “GetOutputFlag” must be set to “False”. | | +| | | | +| | NodeList must list sample FQDNs that are required to conduct a chef-client run for this VNF Action. | | ++---------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Health | The ONAP health check interface is defined over REST and requires the target VNF to expose a standardized HTTP(S) interface for that purpose. See Section 3.2. | The ONAP health check interface is defined over REST and requires the target VNF to expose a standardized HTTP(S) interface for that purpose. See Section 3.2. | +| | | | +| Check | | | ++---------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| StartApplication, | VNF Vendor must provide roles, cookbooks, recipes to start an application on the VNF when triggered by a chef-client run. If application does not start, the run must fail or raise an exception. If application is already started, or starts successfully, the run must finish successfully. | VNF Vendor must provide an Ansible playbook to start the application on the VNF. If application does not start, the playbook must indicate failure. If application is already started, or starts successfully, the playbook must finish successfully. | +| | | | +| StopApplication | For StopApplication, the application must be stopped gracefully (no loss of traffic). | For StopApplication, the application must be stopped gracefully (no loss of traffic). | ++---------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| SoftwareUpload, | VNF Vendor must provide any necessary roles, cookbooks, recipes to apply a software upgrade to the VNF when triggered by a chef-client run. | VNF Vendor must provide an Ansible playbook that can apply a software upgrade to the VNF when triggered by the Ansible server | +| | | | +| LiveUpgrade | | | ++---------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +For information purposes, the following ONAP controller functions are +planned in the future: + +Table 10. Planned ONAP Controller Functions + ++------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| ConfigSave, | ConfigSave stores the VNF running configuration to a url or file using a specified name. ConfigRestore replaces the VNF running configuration with the configuration previously stored with a url or file with the specified name. | +| | | +| ConfigRestore | | ++==================+==================================================================================================================================================================================================================================================================================================================+ +| Reconfigure | If the audit fails, Reconfigure may be used to be replace the VNF running configuration using a previously uploaded configuration in the ONAP controller. | ++------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| ConfigStartup | ConfigStartup is used to store a running configuration to be used when a VNF is rebooted. | ++------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| ConfigRecovery | ConfigRecovery is used to replace the running configuration with a recovery configuration. This recovery configuration is stored in the ONAP Controller and is the configuration uploaded after instantiation. It will only be used if there is no other option to restore the VNF to a working configuration. | ++------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| StatusQuery | Executes a VNF status query and returns the result. A status query is VNF-specific. | ++------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + + +d. Monitoring & Management +=========================== +Monitoring & Management +======================= + +This section addresses data collection and event processing +functionality that is directly dependent on the interfaces provided by +the VNFs’ APIs. These can be in the form of asynchronous interfaces for +event, fault notifications, and autonomous data streams. They can also +be synchronous interfaces for on-demand requests to retrieve various +performance, usage, and other event information. + +The target direction for VNF interfaces is to employ APIs that are +implemented utilizing standardized messaging and modeling protocols over +standardized transports. Migrating to a virtualized environment presents +a tremendous opportunity to eliminate the need for proprietary +interfaces for vendor equipment while removing the traditional +boundaries between Network Management Systems and Element Management +Systems. Additionally, VNFs provide the ability to instrument the +networking applications by creating event records to test and monitor +end-to-end data flow through the network, similar to what physical or +virtual probes provide without the need to insert probes at various +points in the network. The VNF vendors must be able to provide the +aforementioned set of required data directly to the ONAP collection +layer using standardized interfaces. + +Transports and Protocols Supporting Resource Interfaces +------------------------------------------------------- + +Delivery of data from VNFs to ONAP must use the same common transport +mechanisms and protocols for all VNFs. Transport mechanisms and +protocols have been selected to enable both high volume and moderate +volume datasets, as well as asynchronous and synchronous communications +over secure connections. The specified encoding provides +self-documenting content, so data fields can be changed as needs evolve, +while minimizing changes to data delivery. + +The term ‘Event Record’ is used throughout this document to represent +various forms instrumentation/telemetry made available by the VNF +including, faults, status events and various other types of VNF +measurements and logs. Headers received by themselves must be used as +heartbeat indicators. The common structure and delivery protocols for +other types of data will be given in future versions of this document as +we get more insight into data volumes and required processing. + +In the following guidelines, we provide options for encoding, +serialization and data delivery. Agreements between Service Providers +and VNF vendors shall determine which encoding, serialization and +delivery method to use for particular data sets. The selected methods +must be agreed to prior to the on-boarding of the VNF into ONAP design +studio. + +Table 11. Monitoring & Management + ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| **Principle** | **Description** | **Type** | **ID #** | ++==============================================+=====================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+============+============+ +| VNF telemetry via standardized interface | VNFs must provide all telemetry (e.g., fault event records, syslog records, performance records etc.) to ONAP using the model, format and mechanisms described in this section. | Must | 13005 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Encoding and Serialization | Content delivered from VNFs to ONAP is to be encoded and serialized using JSON (option 1). High-volume data is to be encoded and serialized using Avro, where Avro data format are described using JSON (option 2) [8]_. | Must | 13010 | +| | | | | +| | - JSON plain text format is preferred for moderate volume data sets (option 1), as JSON has the advantage of having well-understood simple processing and being human-readable without additional decoding. Examples of moderate volume data sets include the fault alarms and performance alerts, heartbeat messages, measurements used for VNF scaling and syslogs. | | | +| | | | | +| | - Binary format using Avro is preferred for high volume data sets (option 2) such as mobility flow measurements and other high-volume streaming events (such as mobility signaling events or SIP signaling) or bulk data, as this will significantly reduce the volume of data to be transmitted. As of the date of this document, all events are reported using plain text JSON and REST. | | | +| | | | | +| | - Avro content is self-documented, using a JSON schema. The JSON schema is delivered along with the data content (http://avro.apache.org/docs/current/ ). This means the presence and position of data fields can be recognized automatically, as well as the data format, definition and other attributes. Avro content can be serialized as JSON tagged text or as binary. In binary format, the JSON schema is included as a separate data block, so the content is not tagged, further compressing the volume. For streaming data, Avro will read the schema when the stream is established and apply the schema to the received content. | | | +| | | | | +| | - In the future, we may consider support for other types of encoding & serialization (e.g., gRPC) based on industry demand. | | | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Reporting Frequency | The frequency that asynchronous data is delivered will vary based on the content and how data may be aggregated or grouped together. For example, alarms and alerts are expected to be delivered as soon as they appear. In contrast, other content, such as performance measurements, KPIs or reported network signaling may have various ways of packaging and delivering content. Some content should be streamed immediately; or content may be monitored over a time interval, then packaged as collection of records and delivered as block; or data may be collected until a package of a certain size has been collected; or content may be summarized statistically over a time interval, or computed as a KPI, with the summary or KPI being delivered. | Must | 13020 | +| | | | | +| | - We expect the reporting frequency to be configurable depending on the virtual network function’s needs for management. For example, Service Provider may choose to vary the frequency of collection between normal and trouble-shooting scenarios. | | | +| | | | | +| | - Decisions about the frequency of data reporting will affect the size of delivered data sets, recommended delivery method, and how the data will be interpreted by ONAP. However, this should not affect deserialization and decoding of the data, which will be guided by the accompanying JSON schema. | | | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Addressing and Delivery Protocol | ONAP destinations can be addressed by URLs for RESTful data PUT. Future data sets may also be addressed by host name and port number for TCP streaming, or by host name and landing zone directory for SFTP transfer of bulk files. | Must | 13030 | +| | | | | +| | - REST using HTTPS delivery of plain text JSON is preferred for moderate sized asynchronous data sets, and for high volume data sets when feasible. | | | +| | | | | +| | - VNFs must have the capability of maintaining a primary and backup DNS name (URL) for connecting to ONAP collectors, with the ability to switch between addresses based on conditions defined by policy such as time-outs, and buffering to store messages until they can be delivered. At its discretion, the service provider may choose to populate only one collector address for a VNF. In this case, the network will promptly resolve connectivity problems caused by a collector or network failure transparently to the VNF. | | | +| | | | | +| | - VNFs will be configured with initial address(es) to use at deployment time. After that the address(es) may be changed through ONAP-defined policies delivered from ONAP to the VNF using PUTs to a RESTful API, in the same way that other controls over data reporting will be controlled by policy. | | | +| | | | | +| | - Other options are expected to include: | | | +| | | | | +| | - REST delivery of binary encoded data sets. | | | +| | | | | +| | - TCP for high volume streaming asynchronous data sets and for other high volume data sets. TCP delivery can be used for either JSON or binary encoded data sets. | | | +| | | | | +| | - SFTP for asynchronous bulk files, such as bulk files that contain large volumes of data collected over a long time interval or data collected across many VNFs. This is not preferred. Preferred is to reorganize the data into more frequent or more focused data sets, and deliver these by REST or TCP as appropriate. | | | +| | | | | +| | - REST for synchronous data, using RESTCONF (e.g., for VNF state polling). | | | +| | | | | +| | - The ONAP addresses as data destinations for each VNF must be provided by ONAP Policy, and may be changed by Policy while the VNF is in operation. We expect the VNF to be capable of redirecting traffic to changed destinations with no loss of data, for example from one REST URL to another, or from one TCP host and port to another. | | | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Asynchronous and Synchronous Data Delivery | VNFs are to deliver asynchronous data as data becomes available, or according to the configured frequency. The delivered data must be encoded using JSON or Avro, addressed and delivered as described in the previous paragraphs. | Must | 13040 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | VNFs are to respond to data requests from ONAP as soon as those requests are received, as a synchronous response. | Must | 13050 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Synchronous communication must leverage the RESTCONF/NETCONF framework used by the ONAP configuration subsystem. This shall include using YANG configuration models and RESTCONF (https://tools.ietf.org/html/draft-ietf-netconf-restconf-09#page-46). | Must | 13060 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF must respond with content encoded in JSON, as described in the RESTCONF specification. This way the encoding of a synchronous communication will be consistent with Avro. | Must | 13070 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | ONAP may request the VNF to deliver the current data for any of the record types defined in Section 4.2 below. The VNF must respond by returning the requested record, populated with the current field values. (Currently the defined record types include the common header record, technology independent records such as Fault, Heartbeat, State Change, Syslog, and technology specific records such as Mobile Flow, Signaling and Voice Quality records. Additional record types will be added in the future as they are standardized and become available.) | Must | 13080 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | ONAP may request the VNF to deliver granular data on device or subsystem status or performance, referencing the YANG configuration model for the VNF. The VNF must respond by returning the requested data elements. | Must | 13090 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | If YANG models need to be translated to and from JSON, (https://trac.tools.ietf.org/id/draft-lhotka-netmod-yang-json-00.html) should be utilized for translation, meaning YANG configuration and content can be represented via JSON, consistent with Avro, as described in “Encoding and Serialization” section. | Should | 13100 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Security | VNFs must support secure connections and transports. | Must | 13110 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Access to ONAP and to VNFs, and creation of connections, must be controlled through secure credentials, log-on and exchange mechanisms. | Must | 13120 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Data in motion must be carried only over secure connections. | Must | 13130 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Service Providers require that any content containing Sensitive Personal Information (SPI) or certain proprietary data must be encrypted, in addition to applying the regular procedures for securing access and delivery. | Must | 13140 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ + +Data Model for Event Records +----------------------------- + +This section describes the data model for the collection of telemetry +data from VNFs by Service Providers (SPs) to manage VNF health and +runtime lifecycle. This data model is referred to as the VNF Event +Streaming (VES) specifications. While this document is focused on +specifying some of the records from the ONAP perspective, there may be +other external bodies using the same framework to specify additional +records. For example, OPNFV has a VES project [9]_ that is looking to +specify records for OpenStack’s internal telemetry to manage Application +(VNFs), physical and virtual infrastructure (compute, storage, network +devices), and virtual infrastructure managers (cloud controllers, SDN +controllers). Note that any configurable parameters for these data +records (e.g., frequency, granularity, policy-based configuration) will +be managed using the “Configuration” framework described in the prior +sections of this document. + +The Data Model consists of: + +- Common Header Record: This data structure precedes each of the + Technology Independent and Technology Specific records sections of + the data model. + +- Technology Independent Records: This version of the document + specifies the model for Fault, Heartbeat, State Change, Syslog, + Threshold Crossing Alerts, and VF Scaling\* (short for + measurementForVfScalingFields) records. In the future, these may be + extended to support other types of technology independent records. + Each of these records allows additional fields (name/ value pairs) + for extensibility. The vendors can use these vendor-specific + additional fields to provide additional information that may be + relevant to the managing systems. + +- Technology Specific Records: This version of the document specifies + the model for Mobile Flow records, Signaling and Voice Quality + records. In the future, these may be extended to support other types + of records (e.g., Network Fabric, Security records, etc.). Each of + these records allows additional fields (name/value pairs) for + extensibility. The VNF vendors can use these VNF-specific additional + fields to provide additional information that may be relevant to the + managing systems. A placeholder for additional technology specific + areas of interest to be defined in the future documents has been + depicted. + +|image0| +Figure 1. Data Model for Event Records + +Event Records - Data Structure Description +------------------------------------------ + +The data structure for event records consists of: + +- a Common Event Header block; + +- zero or more technology independent domain blocks; and + + - e.g., Fault domain, State Change domain, Syslog domain, etc. + +- zero or more technology specific domain blocks. + + - e.g., Mobile Flow domain, Signaling domain, Voice Quality domain, + etc. + +Note: Heartbeat records would only have the Common Event Header block. +An optional heartbeat domain is available if required by the heartbeat +implementation. + +Common Event Header +~~~~~~~~~~~~~~~~~~~~~ + +The common header that precedes any of the domain-specific records +contains information identifying the type of record to follow, +information about the sender and other identifying characteristics +related to timestamp, sequence number, etc. + +Technology Independent Records – Fault Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Fault Record, describing a condition in the Fault domain, contains +information about the fault such as the entity under fault, the +severity, resulting status, etc. + +Technology Independent Records – Heartbeat Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Heartbeat Record provides an optional structure for communicating +information about heartbeat or watchdog signaling events. It can contain +information about service intervals, status information etc. as required +by the heartbeat implementation. + +Technology Independent Records – State Change Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The State Change Record provides a structure for communicating +information about data flow through the VNF. It can contain information +about state change related to physical device that is reported by VNF. +As an example, when cards or port name of the entity that has changed +state. + +Technology Independent Records – Syslog Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Syslog Record provides a structure for communicating any type of +information that may be logged by the VNF. It can contain information +about system internal events, status, errors, etc. + +Technology Independent Records – Threshold Crossing Alert Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Threshold Crossing Alert (TCA) Record provides a structure for +communicating information about threshold crossing alerts. It can +contain alert definitions and types, actions, events, timestamps and +physical or logical details. + +Technology Independent Records - VF Scaling Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The VF Scaling\* (short for measurementForVfScalingFields) Record +contains information about VF and VNF resource structure and its +condition to help in the management of the resources for purposes of +elastic scaling. + +Technology Independent Records – otherFields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The otherFields Record defines fields for events belonging to the +otherFields domain of the Technology Independent domain enumeration. +This record provides a mechanism to convey a complex set of fields +(possibly nested or opaque) and is purely intended to address +miscellaneous needs such as addressing time-to-market considerations or +other proof-of-concept evaluations. Hence, use of this record type is +discouraged and should be minimized. + +Technology Specific Records – Mobile Flow Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Mobile Flow Record provides a structure for communicating +information about data flow through the VNF. It can contain information +about connectivity and data flows between serving elements for mobile +service, such as between LTE reference points, etc. + +Technology Specific Records – Signaling Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Signaling Record provides a structure for communicating information +about signaling messages, parameters and signaling state. It can contain +information about data flows for +`signaling <https://en.wikipedia.org/wiki/Signaling_%28telecommunications%29>`__ +and controlling +`multimedia <https://en.wikipedia.org/wiki/Multimedia>`__ communication +`session <https://en.wikipedia.org/wiki/Session_%28computer_science%29>`__\ s +such as `voice <https://en.wikipedia.org/wiki/Telephone_call>`__ and +`video calls <https://en.wikipedia.org/wiki/Video_call>`__. + +Technology Specific Records – Voice Quality Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Voice Quality Record provides a structure for communicating +information about voice quality statistics including media connection +information, such as transmitted octet and packet counts, packet loss, +packet delay variation, round-trip delay, QoS parameters and codec +selection. + +Technology Specific Records – Future Domains +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The futureDomains Record is a placeholder for additional technology +specific areas of interest that will be defined and described in the +future documents. + +Data Structure Specification of the Event Record +------------------------------------------------ + +For additional information on the event record formats of the data +structures mentioned above, please refer to `AT&T Service Specification; +Service: VES Event +Listener <https://github.com/att/evel-test-collector/tree/master/docs/att_interface_definition>`__. + +.. [1] + ECOMP (Enhanced Control Orchestration, Management & Policy) + Architecture White Paper + (http://about.att.com/content/dam/snrdocs/ecomp.pdf) + +.. [2] + https://github.com/mbj4668/pyang + +.. [3] + Decision on which Chef Server instance associates with a VNF will be + made on a case-by-case basis depending on VNF, access requirements, + etc. and are outside the scope of this document. The specific + criteria for this would involve considerations like connectivity and + access required by the VNF, security, VNF topology and proprietary + cookbooks. + +.. [4] + Recall that the Node Object **is required** to be identical across + all VMs of a VNF invoked as part of the action except for the “name”. + +.. [5] + Decision on which Ansible Server to use may happen on a case-by-case + basis depending on VNF, access requirements etc. and are outside the + scope of this document. The specific criteria for this could involve + considerations like connectivity and access required by the VNF, + security, VNF topology and proprietary playbooks. + +.. [6] + Upstream elements must provide the appropriate FQDN in the request to + ONAP for the desired action. + +.. [7] + Multiple ONAP actions may map to one playbook. + +.. [8] + This option is not currently supported in ONAP and it is currently + under consideration. + +.. [9] + https://wiki.opnfv.org/display/PROJ/VNF+Event+Stream + +.. [10] + The “name” field is a mandatory field in a valid Chef Node Object + JSON dictionary. + +.. |image0| image:: Data_Model_For_Event_Records.png + :width: 7in + :height: 8in
\ No newline at end of file diff --git a/docs/Chapter8.rst b/docs/Chapter8.rst index 4ef6468..a43ba03 100644 --- a/docs/Chapter8.rst +++ b/docs/Chapter8.rst @@ -1,4 +1,802 @@ **8. Appendix** =============== -a. Data Record Formats
\ No newline at end of file +a. Data Record Formats +====================== + +**Appendix A – Chef JSON Key Value Description** + +The following provides the key value pairs that must be contained in the +JSON file supporting Chef action. + +Table A1. Chef JSON File key value description +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------+ +| **Field Name** | **Description** | **Type** | **Comment** | ++===================+===================================================================================================================================================================================================================================================================================================+=============+=========================================================================================================================================+ +| Environment | A JSON dictionary representing a Chef Environment object. If the VNF action requires loading or modifying Chef environment attributes associated with the VNF, all the relevant information must be provided in this JSON dictionary in a structure that conforms to a Chef Environment Object. | Optional | Depends on VNF action. | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------+ +| Node | A JSON dictionary representing a Chef Node Object. | Mandatory | | +| | | | | +| | The Node JSON dictionary must include the run list to be triggered for the desired VNF action by the push job. It should also include any attributes that need to be configured on the Node Object as part of the VNF action. | | | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------+ +| NodeList | Array of FQDNs that correspond to the endpoints (VMs) of a VNF registered with the Chef Server that need to trigger a chef-client run as part of the desired VNF action. | Mandatory | | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------+ +| PushJobFlag | This field indicates whether the VNF action requires a push Job. Push job object will be created by ONAP if required. | Mandatory | If set to “True”, ONAP will request a push job. Ignored otherwise. | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------+ +| CallbackCapable | This field indicates if the chef-client run invoked by push job corresponding to the VNF action is capable of posting results on a callback URL. | Optional | If Chef cookbook is callback capable, VNF owner is required to set it to “True”. Ignored otherwise. | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------+ +| GetOutputFlag | Flag which indicates whether ONAP should retrieve output generated in a chef-client run from Node object attribute node[‘PushJobOutput’] for this VNF action (e.g., in Audit). | Mandatory | ONAP will retrieve output from NodeObject attributes [‘PushJobOutput’] for all nodes in NodeList if set to “True”. Ignored otherwise. | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------+ + +Chef Template example: + +“Environment”:{ + + "name": "HAR", + + "description": "VNF Chef environment for HAR", + + "json\_class": "Chef::Environment", + + "chef\_type": "environment", + + "default\_attributes": { }, + + "override\_attributes": { + + “Retry\_Time”:”50”, + + “MemCache”: “1024”, + + “Database\_IP”:”10.10.1.5” + + }, + +} + +} + +“Node”: { + + “name” : “signal.network.com “ + + "chef\_type": "node", + + "json\_class": "Chef::Node", + + "attributes": { + + “IPAddress1”: “192.168.1.2”, + + “IPAddress2”:”135.16.162.5”, + + “MyRole”:”BE” + + }, + + "override": {}, + + "default": {}, + + “normal”:{}, + + “automatic”:{}, + + “chef\_environment” : “\_default” + + "run\_list": [ "configure\_signal" ] + + }, + + “NodeList”:[“node1.vnf\_a.onap.com”, “node2.vnf\_a.onap.com”], + + “PushJobFlag”: “True” + + “CallbackCapable”:True + + “GetOutputFlag” : “False” + +} + +The example JSON file provided by the vendor for each VNF action will be +turned into a template by ONAP, that can be updated with instance +specific values at run-time. + +Some points worth noting regarding the JSON fields: + +a. The JSON file must be created for each action for each VNF. + +b. If a VNF action involves multiple endpoints (VMs) of a VNF, ONAP will + replicate the “Node” JSON dictionary in the template and post it to + each FQDN (i.e., endpoint) in the NodeList after setting the “name” + field in the Node object to be the respective FQDN [10]_. Hence, it + is required that all end points (VMs) of a VNF involved in a VNF + action support the same set of Node Object attributes. + +The following table describes the JSON dictionary to post in Callback. + +Table A2. JSON Dictionary to Post in Callback +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-------------------------------------------------------------+ +| **Key** | **Description** | **Type** | **Comment** | ++=================+===========================================================================================================================================================================================================+=============+=============================================================+ +| RequestId | A unique string associated with the original request by ONAP. This key-value pair will be provided by ONAP in the environment of the push job request and must be returned as part of the POST message. | Mandatory | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-------------------------------------------------------------+ +| StatusCode | An integer that must be set to | Mandatory | | +| | | | | +| | 200 if chef-client run on the node finished successfully | | | +| | | | | +| | 500 otherwise. | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-------------------------------------------------------------+ +| StatusMessage | A string which must be set to | Mandatory | | +| | | | | +| | ‘SUCCESS’ if StatusCode was 200 | | | +| | | | | +| | Appropriate error message otherwise. | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-------------------------------------------------------------+ +| Name | A string which corresponds to the name of the node where push job is run. It is required that the value be retrieved from the node object attributes (where it is always defined). | Mandatory | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-------------------------------------------------------------+ +| PushJobOutput | Any output from the chef-client run that needs to be returned to ONAP. | Optional | Depends on VNF action. If empty, it must not be included. | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-------------------------------------------------------------+ + + +**Appendix B – Ansible JSON Key Value Description** + +The following provides the key value pairs that must be contained in the +JSON file supporting Ansible action. + +Table B1. Ansible JSON File key value description +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+---------------------------------------------------------------------+ +| **Field Name** | **Description** | **Type** | **Comment** | ++==================+============================================================================================================================================================================================================================================================================================+=============+=====================================================================+ +| PlaybookName | VNF Vendor must list name of the playbook used to execute the VNF action. | Mandatory | | ++------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+---------------------------------------------------------------------+ +| Action | Name of VNF action. | Optional | | ++------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+---------------------------------------------------------------------+ +| EnvParameters | A JSON dictionary which should list key value pairs to be passed to the Ansible playbook. These values would correspond to instance specific parameters that a playbook may need to execute an action. | Optional | Depends on the VNF action. | ++------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+---------------------------------------------------------------------+ +| NodeList | A JSON array of FQDNs that the playbook must be executed on. | Optional | If not provided, playbook will be executed on the Ansible Server. | ++------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+---------------------------------------------------------------------+ +| FileParameters | A JSON dictionary where keys are filenames and values are contents of files. The Ansible Server will utilize this feature to generate files with keys as filenames and values as content. This attribute can be used to generate files that a playbook may require as part of execution. | Optional | Depends on the VNF action and playbook design. | ++------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+---------------------------------------------------------------------+ +| Timeout | Time (in seconds) that a playbook is expected to take to finish execution for the VNF. If playbook execution time exceeds this value, Ansible Server will terminate the playbook process. | Optional | | ++------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+---------------------------------------------------------------------+ + +Ansible JSON file example: + +{ + + “Action”:”Configure”, + + "PlaybookName": "Ansible\_configure.yml", + + "NodeList": ["test1.vnf\_b.onap.com", “test2.vnf\_b.onap.com”], + + "Timeout": 60, + + "EnvParameters": {"Retry": 3, "Wait": 5, “ConfigFile”:”config.txt”}, + + “FileParameters”:{“config.txt”:”db\_ip=10.1.1.1, sip\_timer=10000”} + +} + +In the above example, the Ansible Server will: + +a. Process the “FileParameters” dictionary and generate a file named + ‘config.txt’ with contents set to the value of the ‘config.txt’ key. + +b. Execute the playbook named ‘Ansible\_configure.yml’ on nodes with + FQDNs test1.vnf\_b.onap.com and test2.vnf\_b.onap.com respectively + while providing the following key value pairs to the playbook: + Retry=3, Wait=5, ConfigFile=config.txt + +c. If execution time of the playbook exceeds 60 secs (across all hosts), + it will be terminated. + +**Appendix C – VNF License Information Guidelines** + +This Appendix describes the metadata to be supplied for VNF licenses. + +1. General Information + +Table C1 defines the required and optional fields for licenses. + +Table C1. Required Fields for General Information +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++--------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+-------------+ +| **Field Name** | **Description** | **Data Type** | **Type** | ++================================+===========================================================================================================================================================================================================================================================================================================+===================+=============+ +| Vendor Name | The name of the vendor. | String | Mandatory | ++--------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+-------------+ +| Vendor Product | The name of the product to which this agreement applies. | String | Mandatory | +| | | | | +| | Note: a contract/agreement may apply to more than one vendor product. In that case, provide the metadata for each product separately. | | | ++--------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+-------------+ +| Vendor Product Description | A general description of vendor software product. | String | Optional | ++--------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+-------------+ +| Export Control | ECCNs are 5-character alpha-numeric designations used on the Commerce Control List (CCL) to identify dual-use items for export control purposes. An ECCN categorizes items based on the nature of the product, i.e. type of commodity, software, or technology and its respective technical parameters. | String | Mandatory | +| | | | | +| Classification Number (ECCN) | | | | ++--------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+-------------+ +| Reporting Requirements | A list of any reporting requirements on the usage of the software product. | List of strings | Optional | ++--------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+-------------+ + +1. Entitlements + +Entitlements describe software license use rights. The use rights may be +quantified by various metrics: # users, # software instances, # units. +The use rights may be limited by various criteria: location (physical or +logical), type of customer, type of device, time, etc. + +One or more entitlements can be defined; each one consists of the +following fields: + +Table C2. Required Fields for Entitlements +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+---------------+ +| **Field Name** | **Description** | **Data Type** | **Type** | ++=====================================================+=======================================================================================================================================================================================+===================+===============+ +| Vendor Part Number / Manufacture Reference Number | Identifier for the entitlement as described by the vendor in their price list / catalog / contract. | String | Mandatory | ++-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+---------------+ +| Description | Verbiage that describes the entitlement. | String | Optional | ++-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+---------------+ +| Entitlement Identifier | Each entitlement defined must be identified by a unique value (e.g., numbered 1, 2, 3….) | String | Mandatory | ++-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+---------------+ +| Minimum Order Requirement | The minimum number of entitlements that need to be purchased. For example, the entitlements must be purchased in a block of 100. If no minimum is required, the value will be zero. | Number | Mandatory | ++-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+---------------+ +| Unique Reporting Requirements | A list of any reporting requirements on the usage of the software product. (e.g.: quarterly usage reports are required) | List of Strings | Optional | ++-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+---------------+ +| License Type | Type of license applicable to the software product. (e.g.: fixed-term, perpetual, trial, subscription.) | String | Mandatory | ++-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+---------------+ +| License Duration | Valid values: | String | Conditional | +| | | | | +| | **year**, **quarter**, **month**, **day**. | | | +| | | | | +| | Not applicable when license type is Perpetual. | | | ++-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+---------------+ +| License Duration Quantification | Number of years, quarters, months, or days for which the license is valid. | Number | Conditional | +| | | | | +| | Not applicable when license type is Perpetual. | | | ++-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+---------------+ +| Limits | see section C.4 for possible values | List | Optional | ++-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+---------------+ + +1. License Keys + +This section defines information on any License Keys associated with the +Software Product. A license key is a data string (or a file) providing a +means to authorize the use of software. License key does not provide +entitlement information. + +License Keys are not required. Optionally, one or more license keys can +be defined; each one consists of the following fields: + +Table C3. Required Fields for License Keys +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++--------------------------+---------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| **Field Name** | **Description** | **Data Type** | **Type** | ++==========================+===============================================================================================================+=================+=============+ +| Description | Verbiage that describes the license key | String | Mandatory | ++--------------------------+---------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| License Key Identifier | Each license key defined must be identified by a unique value (e.g., numbered 1, 2, 3….) | String | Mandatory | ++--------------------------+---------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Key Function | Lifecycle stage (e.g., Instantiation or Activation) at which the license key is applied to the software. | String | Optional | ++--------------------------+---------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| License Key Type | Valid values: | String | Mandatory | +| | | | | +| | **Universal, Unique** | | | +| | | | | +| | **Universal** - a single license key value that may be used with any number of instances of the software. | | | +| | | | | +| | **Unique**- a unique license key value is required for each instance of the software. | | | ++--------------------------+---------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Limits | see section C.4 for possible values | List | Optional | ++--------------------------+---------------------------------------------------------------------------------------------------------------+-----------------+-------------+ + +1. Entitlement and License Key Limits + +Limitations on the use of software entitlements and license keys may be +based on factors such as: features enabled in the product, the allowed +capacity of the product, number of installations, etc... The limits may +generally be categorized as: + +- where (location) + +- when (time) + +- how (usages) + +- who/what (entity) + +- amount (how much) + +Multiple limits may be applicable for an entitlement or license key. +Each limit may further be described by limit behavior, duration, +quantification, aggregation, aggregation interval, start date, end date, +and threshold. + +When the limit is associated with a quantity, the quantity is relative +to an instance of the entitlement or license key. For example: + +- Each entitlement grants the right to 50 concurrent users. If 10 + entitlements are purchased, the total number of concurrent users + permitted would be 500. In this example, the limit category is + **amount**, the limit type is **users**, and the limit + **quantification** is **50.** + + Each license key may be installed on 3 devices. If 5 license keys are + acquired, the total number of devices allowed would be 15. In this + example, the limit category is **usages**, the limit type is + **device**, and the limit **quantification** is **3.** + +1. Location + +Locations may be logical or physical location (e.g., site, country). For +example: + +- use is allowed in Canada + +Table C4. Required Fields for Location +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++------------------------+---------------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| **Field Name** | **Description** | **Data Type** | **Type** | ++========================+=====================================================================================================================+==================+=============+ +| Limit Identifier | Each limit defined for an entitlement or license key must be identified by a unique value (e.g., numbered 1,2,3…) | String | Mandatory | ++------------------------+---------------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Description | Verbiage describing the limit. | String | Mandatory | ++------------------------+---------------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Behavior | Description of the actions taken when the limit boundaries are reached. | String | Mandatory | ++------------------------+---------------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Category | Valid value: **location** | String | Mandatory | ++------------------------+---------------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Type | Valid values: **city, county, state, country, region, MSA, BTA, CLLI** | String | Mandatory | ++------------------------+---------------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit List | List of locations where the Vendor Product can be used or needs to be restricted from use | List of String | Mandatory | ++------------------------+---------------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Set Type | Indicates if the list is an inclusion or exclusion. | String | Mandatory | +| | | | | +| | Valid Values: | | | +| | | | | +| | **Allowed** | | | +| | | | | +| | **Not allowed** | | | ++------------------------+---------------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Quantification | The quantity (amount) the limit expresses. | Number | Optional | ++------------------------+---------------------------------------------------------------------------------------------------------------------+------------------+-------------+ + +1. Time + +Limit on the length of time the software may be used. For example: + +- license key valid for 1 year from activation + +- entitlement valid from 15 May 2018 thru 30 June 2020 + +Table C5. Required Fields for Time +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++------------------------+-------------------------------------------------------------------------------------------------------------------------------+------------------+---------------+ +| **Field Name** | **Description** | **Data Type** | **Type** | ++========================+===============================================================================================================================+==================+===============+ +| Limit Identifier | Each limit defined for an entitlement or license key must be identified by a unique value (e.g., numbered) | String | Mandatory | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------+------------------+---------------+ +| Limit Description | Verbiage describing the limit. | String | Mandatory | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------+------------------+---------------+ +| Limit Behavior | Description of the actions taken when the limit boundaries are reached. | String | Mandatory | +| | | | | +| | The limit behavior may also describe when a time limit takes effect. (e.g., key is valid for 1 year from date of purchase). | | | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------+------------------+---------------+ +| Limit Category | Valid value: **time** | String | Mandatory | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------+------------------+---------------+ +| Limit Type | Valid values: **duration, date** | String | Mandatory | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------+------------------+---------------+ +| Limit List | List of times for which the Vendor Product can be used or needs to be restricted from use | List of String | Mandatory | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------+------------------+---------------+ +| Duration Units | Required when limit type is duration. Valid values: **perpetual, year, quarter, month, day, minute, second, millisecond** | String | Conditional | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------+------------------+---------------+ +| Limit Quantification | The quantity (amount) the limit expresses. | Number | Optional | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------+------------------+---------------+ +| Start Date | Required when limit type is date. | Date | Optional | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------+------------------+---------------+ +| End Date | May be used when limit type is date. | Date | Optional | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------+------------------+---------------+ + +1. Usage + +Limits based on how the software is used. For example: + +- use is limited to a specific sub-set of the features/capabilities the + software supports + +- use is limited to a certain environment (e.g., test, development, + production…) + +- use is limited by processor (vm, cpu, core) + +- use is limited by software release + +Table C6. Required Fields for Usage +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| **Field Name** | **Description** | **Data Type** | **Type** | ++========================+==============================================================================================================+==================+=============+ +| Limit Identifier | Each limit defined for an entitlement or license key must be identified by a unique value (e.g., numbered) | String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Description | Verbiage describing the limit. | String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Behavior | Description of the actions taken when the limit boundaries are reached. | String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Category | Valid value: **usages** | String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Type | Valid values: **feature, environment, processor, version** | String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit List | List of usage limits (e.g., test, development, vm, core, R1.2.1, R1.3.5…) | List of String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Set Type | Indicates if the list is an inclusion or exclusion. | String | Mandatory | +| | | | | +| | Valid Values: | | | +| | | | | +| | **Allowed** | | | +| | | | | +| | **Not allowed** | | | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Quantification | The quantity (amount) the limit expresses. | Number | Optional | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ + +1. Entity + +Limit on the entity (product line, organization, customer) allowed to +make use of the software. For example: + +- allowed to be used in support of wireless products + +- allowed to be used only for government entities + +Table C7. Required Fields for Entity +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| **Field Name** | **Description** | **Data Type** | **Type** | ++========================+==============================================================================================================+==================+=============+ +| Limit Identifier | Each limit defined for an entitlement or license key must be identified by a unique value (e.g., numbered) | String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Description | Verbiage describing the limit. | String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Behavior | Description of the actions taken when the limit boundaries are reached. | String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Category | Valid value: **entity** | String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Type | Valid values: **product line, organization, internal customer, external customer** | String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit List | List of entities for which the Vendor Product can be used or needs to be restricted from use | List of String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Set Type | Indicates if the list is an inclusion or exclusion. | String | Mandatory | +| | | | | +| | Valid Values: | | | +| | | | | +| | **Allowed** | | | +| | | | | +| | **Not allowed** | | | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Quantification | The quantity (amount) the limit expresses. | Number | Optional | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ + +1. Amount + +These limits describe terms relative to utilization of the functions of +the software (for example, number of named users permitted, throughput, +or capacity). Limits of this type may also be relative to utilization of +other resources (for example, a limit for firewall software is not based +on use of the firewall software, but on the number of network +subscribers). + +The metadata describing this type of limit includes the unit of measure +(e.g., # users, # sessions, # MB, # TB, etc.), the quantity of units, +any aggregation function (e.g., peak or average users), and aggregation +interval (day, month, quarter, year, etc.). + +Table C8. Required Fields for Amount +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| **Field Name** | **Description** | **Data Type** | **Type** | ++========================+================================================================================================================================================================================================================================================================+=================+=============+ +| Limit Identifier | Each limit defined for an entitlement or license key must be identified by a unique value (e.g., numbered) | String | Mandatory | ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Limit Description | Verbiage describing the limit. | String | Mandatory | ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Limit Behavior | Description of the actions taken when the limit boundaries are reached. | String | Mandatory | ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Limit Category | Valid value: **amount** | String | Mandatory | ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Limit Type | Valid values: **trunk, user, subscriber, session, token, transactions, seats, KB, MB, TB, GB** | String | Mandatory | ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Type of Utilization | Is the limit relative to utilization of the functions of the software or relative to utilization of other resources? | String | Mandatory | +| | | | | +| | Valid values: | | | +| | | | | +| | - **software functions** | | | +| | | | | +| | - **other resources** | | | ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Limit Quantification | The quantity (amount) the limit expresses. | Number | Optional | ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Aggregation Function | Valid values: **peak, average** | String | Optional | ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Aggregation Interval | Time period over which the aggregation is done (e.g., average sessions per quarter). Required when an Aggregation Function is specified. | String | Optional | +| | | | | +| | Valid values: **day, month, quarter, year, minute, second, millisecond** | | | ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Aggregation Scope | Is the limit quantity applicable to a single entitlement or license key (each separately)? Or may the limit quantity be combined with others of the same type (resulting in limit amount that is the sum of all the purchased entitlements or license keys)? | String | Optional | +| | | | | +| | Valid values: | | | +| | | | | +| | - **single** | | | +| | | | | +| | - **combined** | | | ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Type of User | Describes the types of users of the functionality offered by the software (e.g., authorized, named). This field is included when Limit Type is user. | String | Optional | ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ + + +**Appendix D – Ansible Server Specification** + +This section outlines the specifications for an ONAP compliant Ansible +Server that can optionally be provided by the VNF Vendor. The Ansible +Server will be used as a repository to store Ansible playbooks as well +as an execution engine which upon a REST API request, will execute +Ansible playbook against VNFs. + +Table D1. Ansible Server Requirements +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| **Principle** | **Description** | **Type** | **ID #** | ++==============================================+==============================================================================================================================================================================================================================================================================================================================================================================+============+============+ +| Ansible Server Scope | The Ansible Server is required to support storage and execution of playbooks that are in yaml format or a collection of playbooks compressed and uploaded in tar-ball format. | Must | D1000 | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The Ansible Server must accept requests for execution of playbooks via a REST interface. The scope of each request will involve exactly one action and will request execution of one playbook. | Must | D1010 | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The playbook executed by the Ansible Server will be responsible for execution of the entire action against the VNF (e.g., calling other playbooks, running tasks on multiple VMs in the VNF) and return back the status of the action as well as any necessary output in its entirety after the action is finished. | Must | D1020 | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The Ansible Server must support simultaneous execution of multiple playbooks against different VNFs in parallel (i.e., process multiple requests). | Must | D1030 | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The Ansible Server will be loaded with all necessary credentials to invoke playbooks against target VNF(s). | Must | D1040 | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Ansible Server/ONAP Interface | Load Playbook\ **:** The Ansible Server must expose an authenticated interface to allow loading all necessary playbooks for a target VNF. It should impose an identification mechanism that allows each playbook to be uniquely identified. | Must | D1050 | +| | | | | +| | - It is recommended that the load Playbook API be a REST API. | | | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Request API: The Ansible Server must expose a REST endpoint that accepts a POST message to request execution of the playbook (e.g., https://ansible.test.att.com:8080). The POST request must be a JSON block as outlined in Table D2. | Must | D1060 | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | When the Ansible server accepts an authenticated request to execute a playbook, it is required to send back an initial response indicating whether the request is accepted or rejected. The response must be a JSON Object with the key value pairs as described in Table D3. | Must | D1070 | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Result API: If the Ansible Server accepts a request to execute a playbook, it must make available status of the execution of the playbook at a Results REST endpoint indexed by the Id in the request in the form <url>?Id=<RequestId>&Type=GetResult where <url> is the URL used for submitting requests. For example, https://ansible.test.att.com?Id=10&Type=GetResult. | Must | D1080 | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | When a GET is invoked against the Results REST endpoint, the Ansible Server must reply with an appropriate response: | Must | D1090 | +| | | | | +| | - If the Endpoint is invalid (no request, or request expired), reply with a standard HTTP 404 error. | | | +| | | | | +| | - If the playbook execution is still ongoing, then the Ansible Server is required to block on the GET request till the execution finishes or terminates. | | | +| | | | | +| | - Upon completion of execution, the Ansible Server is required to respond to the GET request with the result of the playbook execution in the form of a JSON message as outlined in the Table D4. | | | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The dictionary associated with the ‘Results’ key in the Result Response must be a key-value pair where each key corresponds to an entry in the NodeList and the value is a dictionary with the format as outlined in Table D5. | Must | D1100 | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Ansible Server Actions | The Ansible Server must take the following actions when triggered by a request to execute a playbook: | Must | D1110 | +| | | | | +| | - Determine if the request is valid, and if so, must send back an initial response message accepting the request. | | | +| | | | | +| | - If the request contains a “FileParameters” key that is not NULL, create all the necessary files. | | | +| | | | | +| | - Invoke the ansible playbook while providing it all appropriate parameters listed in EnvParameters and inventory information listed in NodeList. The playbook will be responsible for execution of all necessary steps required by the VNF action. | | | +| | | | | +| | - If the playbook finishes, use the PLAY\_RECAP functionality to determine whether playbook finished successfully on each endpoint identified in the NodeList. | | | +| | | | | +| | - If the playbook finishes, collect any output returned by the playbook. A playbook conforming to the ONAP vendor requirements document will write out any necessary output to a file named ‘<hostname>\_results.txt’ in the working directory, where ‘hostname’ is an element of the NodeList where the playbook is being executed. | | | +| | | | | +| | - If the playbook execution exceeds the Timeout value, the playbook execution process is terminated and ansible log that captures the last task executed is stored. | | | +| | | | | +| | - Make results available on the Results REST Endpoint as documented in Table D3. | | | +| | | | | +| | - If Callback url was provided in initial request, post the final response message on the Callback URL along with an additional key additional key “Id “: which corresponds to the request Id sent in the request. | | | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Ansible Server Result Storage Requirements | The Ansible Server must cache and provide results of an execution as well as retain logs for debugging purposes as outlined below: | Must | D1120 | +| | | | | +| | - The results from a playbook execution result must be retained by the Ansible Server and made available through the respective REST endpoint for a duration that is configurable. | | | +| | | | | +| | - Recommended duration is 2 x Timeout. | | | +| | | | | +| | - The log from a playbook must be stored by the Ansible Server, tagged with the Id along with all other parameters in the initial request in a format that allows for examination for debugging purposes. | | | +| | | | | +| | - The results from playbook execution and log files shall be removed after a configurable defined retention period for this type of file. | | | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Ansible Server Locking Mechanism | The Ansible Server shall lock VNF while running playbooks that require exclusive use of a VNF (Configure is an example) and not accept requests to run other playbooks or queue those requests until playbook that requires exclusivity completes | Must | D1130 | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ + +Table D2. Request Message +~~~~~~~~~~~~~~~~~~~~~~~~~ + ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------+ +| **Key** | **Description** | **Type** | **Comment** | ++===================+=========================================================================================================================================================================================================================================================================================================================================================+=============+====================================================================================================================================+ +| Id | A unique string that identifies this request. For e.g., a UUID | Mandatory | NOT NULL | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------+ +| PlaybookName | A string which contains the name of the playbook to execute. | Mandatory | NOT NULL | +| | | | | +| | Example: memthres.yaml | | | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------+ +| Action | Name of action | Optional | | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------+ +| NodeList | List of endpoints of the VNF against which the playbook should be executed. | Optional | If not specified, playbook executed within Ansible Server (localhost) | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------+ +| Timeout | Time the Ansible Server should wait (in seconds), before terminating playbook execution. The Ansible Server will apply the timeout for the entire playbook execution (i.e., independent of number of endpoints against which the playbook is executing). If playbook execution time exceeds the timeout value, the server will terminate the process. | Optional | If not specified, Ansible server will use internal default value (configurable) | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------+ +| LocalParameters | A JSON dictionary that can be used to provide key value pairs that are specific to each individual VNF/VM instance. Key must be endpoint FQDN and value a JSON dictionary with key-value pairs for the playbook run associated with that host/group. | Optional | | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------+ +| EnvParameters | A JSON dictionary that can be used to specify key value pairs passed at run time to the playbook that are common across all hosts against which the playbook will run. | Optional | | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------+ +| CallbackUrl | A callback URL that Ansible Server can POST results to once playbook finishes execution or is terminated. | Optional | If present, Ansible Server is required to POST response back on the Callback URL | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------+ +| FileParameters | A dictionary where keys correspond to file names to be generated and values correspond to contents of files. | Optional | If present, Ansible Server will first process this and write out contents to appropriate files and then process other parameters | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------+ + +Table D3. Initial Response Message +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++--------------------+------------------------------------------------------------------------------------------+-------------+---------------+ +| **Key** | **Description** | **Type** | **Comment** | ++====================+==========================================================================================+=============+===============+ +| StatusCode | An integer indicating status of the request. It MUST take one of the following values: | Mandatory | | +| | | | | +| | 100 if request is accepted | | | +| | | | | +| | 101 if request is rejected | | | ++--------------------+------------------------------------------------------------------------------------------+-------------+---------------+ +| StatusMessage | A string describing Server’s response | Mandatory | | +| | | | | +| | It MUST be set to ‘PENDING’ if StatusCode=100 | | | +| | | | | +| | It MUST be set to appropriate error exception message if StatusCode=101 | | | ++--------------------+------------------------------------------------------------------------------------------+-------------+---------------+ +| ExpectedDuration | Time the server expects (in seconds) to finish the playbook execution. | Optional | | ++--------------------+------------------------------------------------------------------------------------------+-------------+---------------+ + +Table D4. Final Response Message +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++-----------------+-------------------------------------------------------------------------------------------------------+-------------+------------------------+ +| **Key** | **Description** | **Type** | **Comment** | ++=================+=======================================================================================================+=============+========================+ +| StatusCode | 200 if Execution finished normally | Mandatory | | +| | | | | +| | 500 otherwise. | | | ++-----------------+-------------------------------------------------------------------------------------------------------+-------------+------------------------+ +| StatusMessage | A string which be set to either of the TWO values: | Mandatory | | +| | | | | +| | - ‘FINISHED’ if StatusCode=200 | | | +| | | | | +| | - Appropriate error exception message if StatusCode=500 | | | ++-----------------+-------------------------------------------------------------------------------------------------------+-------------+------------------------+ +| Duration | Time it took for execution to finish (in seconds). | Optional | | ++-----------------+-------------------------------------------------------------------------------------------------------+-------------+------------------------+ +| Result | A JSON dictionary that lists the status of playbook execution for each VM (or VNF) in the NodeList. | Optional | Not present if empty | ++-----------------+-------------------------------------------------------------------------------------------------------+-------------+------------------------+ + +Table D5. Result Block Format +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++-----------------+----------------------------------------------------------+-------------+------------------------+ +| **Key** | **Description** | **Type** | **Comment** | ++=================+==========================================================+=============+========================+ +| GroupName | Group under which the VM (or VNF) falls in a playbook. | Optional | | ++-----------------+----------------------------------------------------------+-------------+------------------------+ +| StatusCode | A string which must have the following values: | Mandatory | | +| | | | | +| | - 200 if SUCCESS | | | +| | | | | +| | - 500 otherwise | | | ++-----------------+----------------------------------------------------------+-------------+------------------------+ +| StatusMessage | An integer with the following values: | Mandatory | | +| | | | | +| | - ‘SUCCESS’ if StatusCode=200 | | | +| | | | | +| | - Error exception message otherwise | | | ++-----------------+----------------------------------------------------------+-------------+------------------------+ +| Output | Any output the playbook is required to return. | Optional | Not present if empty | ++-----------------+----------------------------------------------------------+-------------+------------------------+ + +Some illustrative examples are shown below: + +1. An example POST for requesting execution of a Playbook : + + {"Id": "10", “Action”:”HealthCheck”, "PlaybookName": + "ansible\_getresource.yml", "NodeList": + ["interface1.vnf\_b.onap.com", ["interface2.vnf\_b.onap.com"], + "Timeout": 60, "EnvParameters": {"Retry": 3, "Wait": 5}} + +2. Potential examples of Ansible Server initial response. + + a. Successfully accepted request: {"StatusCode": "100", + "ExpectedDuration": "60sec", "StatusMessage": "PENDING"} + + b. Request rejected: {"StatusCode": "101", "StatusMessage": "PLAYBOOK + NOT FOUND "} + +3. Potential examples of final response by Ansible Server to a GET on + + a. Playbook successful execution: {"Duration": "4.864815sec", + “StatusCode”: 200, “StatusMessage”:”FINISHED”, "Results": + {"interface\_1.vnf\_b.onap.com": {"StatusCode": "200", + "GroupName": "vnf-x-oam", "StatusMessage": "SUCCESS", + “Output”:{“CPU”:30, “Memory”:”5Gb”}, + "interface\_1.vnf\_b.onap.com": {"StatusCode": "200", "GroupName": + "vnf-x-oam", "StatusMessage": "SUCCESS", “Output”:{“CPU”:60, + “Memory”:”10Gb”}}} + + b. Playbook failed execution on one of the hosts: {"Duration": + "10.8sec", “StatusCode”: 200, “StatusMessage”:”FINISHED”, + "Results": {"interface\_1.vnf\_b.onap.com": {"StatusCode": "500", + "GroupName": "vnf-x-oam", "StatusMessage": "Error executing + command ", "interface\_1.vnf\_b.onap.com": {"StatusCode": "200", + "GroupName": "vnf-x-oam", "StatusMessage": "SUCCESS", + “Output”:{“CPU”:60, “Memory”:”10Gb”}}} + + c. Playbook terminated: {"Duration": "61 sec", “StatusCode”: 500, + “StatusMessage”:”TERMINATED” } + + +.. [1] + ECOMP (Enhanced Control Orchestration, Management & Policy) + Architecture White Paper + (http://about.att.com/content/dam/snrdocs/ecomp.pdf) + +.. [2] + https://github.com/mbj4668/pyang + +.. [3] + Decision on which Chef Server instance associates with a VNF will be + made on a case-by-case basis depending on VNF, access requirements, + etc. and are outside the scope of this document. The specific + criteria for this would involve considerations like connectivity and + access required by the VNF, security, VNF topology and proprietary + cookbooks. + +.. [4] + Recall that the Node Object **is required** to be identical across + all VMs of a VNF invoked as part of the action except for the “name”. + +.. [5] + Decision on which Ansible Server to use may happen on a case-by-case + basis depending on VNF, access requirements etc. and are outside the + scope of this document. The specific criteria for this could involve + considerations like connectivity and access required by the VNF, + security, VNF topology and proprietary playbooks. + +.. [6] + Upstream elements must provide the appropriate FQDN in the request to + ONAP for the desired action. + +.. [7] + Multiple ONAP actions may map to one playbook. + +.. [8] + This option is not currently supported in ONAP and it is currently + under consideration. + +.. [9] + https://wiki.opnfv.org/display/PROJ/VNF+Event+Stream + +.. [10] + The “name” field is a mandatory field in a valid Chef Node Object + JSON dictionary.
\ No newline at end of file diff --git a/docs/Data_Model_For_Event_Records.png b/docs/Data_Model_For_Event_Records.png Binary files differnew file mode 100644 index 0000000..1cb7464 --- /dev/null +++ b/docs/Data_Model_For_Event_Records.png |