diff options
Diffstat (limited to 'docs')
30 files changed, 4856 insertions, 4720 deletions
diff --git a/docs/Chapter1.rst b/docs/Chapter1/index.rst index 4451c1d..a0b917e 100644 --- a/docs/Chapter1.rst +++ b/docs/Chapter1/index.rst @@ -2,9 +2,9 @@ .. http://creativecommons.org/licenses/by/4.0 .. Copyright 2017 AT&T Intellectual Property. All rights reserved. - Purpose ======= + - The purpose of these requirements is to accelerate adoption of xNF best practices which will increase innovation, minimize customization needed to onboard xNFs as well as reduce implementation complexity, time and cost diff --git a/docs/Chapter2.rst b/docs/Chapter2/index.rst index c33c5c5..eab491d 100644 --- a/docs/Chapter2.rst +++ b/docs/Chapter2/index.rst @@ -5,6 +5,7 @@ Scope ===== + - The audience for this document are xNF providers, NCSPs and other interested 3rd parties who need to know the design, build and lifecycle management requirements for xNFs to be compliant with ONAP. @@ -63,4 +64,3 @@ To report issues on this document, please perform one of the following steps: to the onap-discuss email discussion list. Refer to the following instructions to subscribe to the mail list: https://wiki.onap.org/display/DW/Mailing+Lists - diff --git a/docs/Chapter3.rst b/docs/Chapter3/index.rst index a018721..84802f7 100644 --- a/docs/Chapter3.rst +++ b/docs/Chapter3/index.rst @@ -5,6 +5,7 @@ Introduction ============ + - These requirements are specific to the current release of ONAP. It is the initial release of requirements based on a merge of the Open-O and OpenECOMP requirements. @@ -42,4 +43,3 @@ Introduction formats. It also contains a list of the requirements that are listed in the other chapters as well as examples and models that are referenced throughout the rest of the chapters. - diff --git a/docs/Chapter4.rst b/docs/Chapter4.rst deleted file mode 100644 index 89df784..0000000 --- a/docs/Chapter4.rst +++ /dev/null @@ -1,1384 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright 2017 AT&T Intellectual Property. All rights reserved. - - -VNF Development Requirements -============================ - -VNF Design ----------- - -Services are composed of VNFs and common components and are designed to -be agnostic of the location to leverage capacity where it exists in the -Network Cloud. VNFs can be instantiated in any location that meets the -performance and latency requirements of the service. - -A key design principle for virtualizing services is decomposition of -network functions using NFV concepts into granular VNFs. This enables -instantiating and customizing only essential functions as needed for the -service, thereby making service delivery more nimble. It provides -flexibility of sizing and scaling and also provides flexibility with -packaging and deploying VNFs as needed for the service. It enables -grouping functions in a common cloud data center to minimize -inter-component latency. The VNFs should be designed with a goal of -being modular and reusable to enable using best-in-breed vendors. - -Section 5.a VNF Design in *VNF Guidelines* describes -the overall guidelines for designing VNFs from VNF Components (VNFCs). -Below are more detailed requirements for composing VNFs. - -VNF Design Requirements - -* R-58421 The VNF **SHOULD** be decomposed into granular re-usable VNFCs. -* R-82223 The VNF **MUST** be decomposed if the functions have - significantly different scaling characteristics (e.g., signaling - versus media functions, control versus data plane functions). -* R-16496 The VNF **MUST** enable instantiating only the functionality that - is needed for the decomposed VNF (e.g., if transcoding is not needed it - should not be instantiated). -* R-02360 The VNFC **MUST** be designed as a standalone, executable process. -* R-34484 The VNF **SHOULD** create a single component VNF for VNFCs - that can be used by other VNFs. -* R-23035 The VNF **MUST** be designed to scale horizontally (more - instances of a VNF or VNFC) and not vertically (moving the existing - instances to larger VMs or increasing the resources within a VM) - to achieve effective utilization of cloud resources. -* R-30650 The VNF **MUST** utilize cloud provided infrastructure and - VNFs (e.g., virtualized Local Load Balancer) as part of the VNF so - that the cloud can manage and provide a consistent service resiliency - and methods across all VNF's. -* R-12709 The VNFC **SHOULD** be independently deployed, configured, - upgraded, scaled, monitored, and administered by ONAP. -* R-37692 The VNFC **MUST** provide API versioning to allow for - independent upgrades of VNFC. -* R-86585 The VNFC **SHOULD** minimize the use of state within - a VNFC to facilitate the movement of traffic from one instance - to another. -* R-65134 The VNF **SHOULD** maintain state in a geographically - redundant datastore that may, in fact, be its own VNFC. -* R-75850 The VNF **SHOULD** decouple persistent data from the VNFC - and keep it in its own datastore that can be reached by all instances - of the VNFC requiring the data. -* R-88199 The VNF **MUST** utilize a persistent datastore service that - can meet the data performance/latency requirements. (For example: - Datastore service could be a VNFC in VNF or a DBaaS in the Cloud - execution environment) -* R-99656 The VNF **MUST** NOT terminate stable sessions if a VNFC - instance fails. -* R-84473 The VNF **MUST** enable DPDK in the guest OS for VNF’s requiring - high packets/sec performance. High packet throughput is defined as greater - than 500K packets/sec. -* R-54430 The VNF **MUST** use the NCSP’s supported library and compute - flavor that supports DPDK to optimize network efficiency if using DPDK. [1]_ -* R-18864 The VNF **MUST** NOT use technologies that bypass virtualization - layers (such as SR-IOV) unless approved by the NCSP (e.g., if necessary - to meet functional or performance requirements). -* R-64768 The VNF **MUST** limit the size of application data packets - to no larger than 9000 bytes for SDN network-based tunneling when - guest data packets are transported between tunnel endpoints that - support guest logical networks. -* R-74481 The VNF **MUST** NOT require the use of a dynamic routing - protocol unless necessary to meet functional requirements. - -VNF Resiliency -------------------------- - -The VNF is responsible for meeting its resiliency goals and must factor -in expected availability of the targeted virtualization environment. -This is likely to be much lower than found in a traditional data center. -Resiliency is defined as the ability of the VNF to respond to error -conditions and continue to provide the service intended. A number of -software resiliency dimensions have been identified as areas that should -be addressed to increase resiliency. As VNFs are deployed into the -Network Cloud, resiliency must be designed into the VNF software to -provide high availability versus relying on the Network Cloud to achieve -that end. - -Section 5.a Resiliency in *VNF Guidelines* describes -the overall guidelines for designing VNFs to meet resiliency goals. -Below are more detailed resiliency requirements for VNFs. - -All Layer Redundancy -^^^^^^^^^^^^^^^^^^^^^^ - -Design the VNF to be resilient to the failures of the underlying -virtualized infrastructure (Network Cloud). VNF design considerations -would include techniques such as multiple vLANs, multiple local and -geographic instances, multiple local and geographic data replication, -and virtualized services such as Load Balancers. - - -All Layer Redundancy Requirements - -* R-52499 The VNF **MUST** meet their own resiliency goals and not rely - on the Network Cloud. -* R-42207 The VNF **MUST** design resiliency into a VNF such that the - resiliency deployment model (e.g., active-active) can be chosen at - run-time. -* R-03954 The VNF **MUST** survive any single points of failure within - the Network Cloud (e.g., virtual NIC, VM, disk failure). -* R-89010 The VNF **MUST** survive any single points of software failure - internal to the VNF (e.g., in memory structures, JMS message queues). -* R-67709 The VNF **MUST** be designed, built and packaged to enable - deployment across multiple fault zones (e.g., VNFCs deployed in - different servers, racks, OpenStack regions, geographies) so that - in the event of a planned/unplanned downtime of a fault zone, the - overall operation/throughput of the VNF is maintained. -* R-35291 The VNF **MUST** support the ability to failover a VNFC - automatically to other geographically redundant sites if not - deployed active-active to increase the overall resiliency of the VNF. -* R-36843 The VNF **MUST** support the ability of the VNFC to be deployable - in multi-zoned cloud sites to allow for site support in the event of cloud - zone failure or upgrades. -* R-00098 The VNF **MUST NOT** impact the ability of the VNF to provide - service/function due to a single container restart. -* R-79952 The VNF **SHOULD** support container snapshots if not for rebuild - and evacuate for rollback or back out mechanism. - -Minimize Cross Data-Center Traffic -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Avoid performance-sapping data center-to-data center replication delay -by applying techniques such as caching and persistent transaction paths -- Eliminate replication delay impact between data centers by using a -concept of stickiness (i.e., once a client is routed to data center "A", -the client will stay with Data center “A” until the entire session is -completed). - -Minimize Cross Data-Center Traffic Requirements - -* R-92935 The VNF **SHOULD** minimize the propagation of state information - across multiple data centers to avoid cross data center traffic. - -Application Resilient Error Handling -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Ensure an application communicating with a downstream peer is equipped -to intelligently handle all error conditions. Make sure code can handle -exceptions seamlessly - implement smart retry logic and implement -multi-point entry (multiple data centers) for back-end system -applications. - -Application Resilient Error Handling Requirements - -* R-26371 The VNF **MUST** detect communication failure for inter VNFC - instance and intra/inter VNF and re-establish communication - automatically to maintain the VNF without manual intervention to - provide service continuity. -* R-18725 The VNF **MUST** handle the restart of a single VNFC instance - without requiring all VNFC instances to be restarted. -* R-06668 The VNF **MUST** handle the start or restart of VNFC instances - in any order with each VNFC instance establishing or re-establishing - required connections or relationships with other VNFC instances and/or - VNFs required to perform the VNF function/role without requiring VNFC - instance(s) to be started/restarted in a particular order. -* R-80070 The VNF **MUST** handle errors and exceptions so that they do - not interrupt processing of incoming VNF requests to maintain service - continuity (where the error is not directly impacting the software - handling the incoming request). -* R-32695 The VNF **MUST** provide the ability to modify the number of - retries, the time between retries and the behavior/action taken after - the retries have been exhausted for exception handling to allow the - NCSP to control that behavior, where the interface and/or functional - specification allows for altering behaviour. -* R-48356 The VNF **MUST** fully exploit exception handling to the extent - that resources (e.g., threads and memory) are released when no longer - needed regardless of programming language. -* R-67918 The VNF **MUST** handle replication race conditions both locally - and geo-located in the event of a data base instance failure to maintain - service continuity. -* R-36792 The VNF **MUST** automatically retry/resubmit failed requests - made by the software to its downstream system to increase the success rate. -* R-70013 The VNF **MUST NOT** require any manual steps to get it ready for - service after a container rebuild. -* R-65515 The VNF **MUST** provide a mechanism and tool to start VNF - containers (VMs) without impacting service or service quality assuming - another VNF in same or other geographical location is processing service - requests. -* R-94978 The VNF **MUST** provide a mechanism and tool to perform a graceful - shutdown of all the containers (VMs) in the VNF without impacting service - or service quality assuming another VNF in same or other geographical - location can take over traffic and process service requests. - - -System Resource Optimization -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Ensure an application is using appropriate system resources for the task -at hand; for example, do not use network or IO operations inside -critical sections, which could end up blocking other threads or -processes or eating memory if they are unable to complete. Critical -sections should only contain memory operation, and should not contain -any network or IO operation. - - -System Resource Optimization Requirements - -* R-22059 The VNF **MUST NOT** execute long running tasks (e.g., IO, - database, network operations, service calls) in a critical section - of code, so as to minimize blocking of other operations and increase - concurrent throughput. -* R-63473 The VNF **MUST** automatically advertise newly scaled - components so there is no manual intervention required. -* R-74712 The VNF **MUST** utilize FQDNs (and not IP address) for - both Service Chaining and scaling. -* R-41159 The VNF **MUST** deliver any and all functionality from any - VNFC in the pool (where pooling is the most suitable solution). The - VNFC pool member should be transparent to the client. Upstream and - downstream clients should only recognize the function being performed, - not the member performing it. -* R-85959 The VNF **SHOULD** automatically enable/disable added/removed - sub-components or component so there is no manual intervention required. -* R-06885 The VNF **SHOULD** support the ability to scale down a VNFC pool - without jeopardizing active sessions. Ideally, an active session should - not be tied to any particular VNFC instance. -* R-12538 The VNF **SHOULD** support load balancing and discovery - mechanisms in resource pools containing VNFC instances. -* R-98989 The VNF **SHOULD** utilize resource pooling (threads, - connections, etc.) within the VNF application so that resources - are not being created and destroyed resulting in resource management - overhead. -* R-55345 The VNF **SHOULD** use techniques such as “lazy loading” when - initialization includes loading catalogues and/or lists which can grow - over time, so that the VNF startup time does not grow at a rate - proportional to that of the list. -* R-35532 The VNF **SHOULD** release and clear all shared assets (memory, - database operations, connections, locks, etc.) as soon as possible, - especially before long running sync and asynchronous operations, so as - to not prevent use of these assets by other entities. - - -Application Configuration Management -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Leverage configuration management audit capability to drive conformity -to develop gold configurations for technologies like Java, Python, etc. - -Application Configuration Management Requirements - -* R-77334 The VNF **MUST** allow configurations and configuration parameters - to be managed under version control to ensure consistent configuration - deployment, traceability and rollback. -* R-99766 The VNF **MUST** allow configurations and configuration parameters - to be managed under version control to ensure the ability to rollback to - a known valid configuration. -* R-73583 The VNF **MUST** allow changes of configuration parameters - to be consumed by the VNF without requiring the VNF or its sub-components - to be bounced so that the VNF availability is not effected. - - -Intelligent Transaction Distribution & Management -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Leverage Intelligent Load Balancing and redundant components (hardware -and modules) for all transactions, such that at any point in the -transaction: front end, middleware, back end -- a failure in any one -component does not result in a failure of the application or system; -i.e., transactions will continue to flow, albeit at a possibly reduced -capacity until the failed component restores itself. Create redundancy -in all layers (software and hardware) at local and remote data centers; -minimizing interdependencies of components (i.e. data replication, -deploying non-related elements in the same container). - -Intelligent Transaction Distribution & Management Requirements - -* R-21558 The VNF **SHOULD** use intelligent routing by having knowledge - of multiple downstream/upstream endpoints that are exposed to it, to - ensure there is no dependency on external services (such as load balancers) - to switch to alternate endpoints. -* R-08315 The VNF **SHOULD** use redundant connection pooling to connect - to any backend data source that can be switched between pools in an - automated/scripted fashion to ensure high availability of the connection - to the data source. -* R-27995 The VNF **SHOULD** include control loop mechanisms to notify - the consumer of the VNF of their exceeding SLA thresholds so the consumer - is able to control its load against the VNF. - -Deployment Optimization -^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Reduce opportunity for failure, by human or by machine, through smarter -deployment practices and automation. This can include rolling code -deployments, additional testing strategies, and smarter deployment -automation (remove the human from the mix). - -Deployment Optimization Requirements - -* R-73364 The VNF **MUST** support at least two major versions of the - VNF software and/or sub-components to co-exist within production - environments at any time so that upgrades can be applied across - multiple systems in a staggered manner. -* R-02454 The VNF **MUST** support the existence of multiple major/minor - versions of the VNF software and/or sub-components and interfaces that - support both forward and backward compatibility to be transparent to - the Service Provider usage. -* R-57855 The VNF **MUST** support hitless staggered/rolling deployments - between its redundant instances to allow "soak-time/burn in/slow roll" - which can enable the support of low traffic loads to validate the - deployment prior to supporting full traffic loads. -* R-64445 The VNF **MUST** support the ability of a requestor of the - service to determine the version (and therefore capabilities) of the - service so that Network Cloud Service Provider can understand the - capabilities of the service. -* R-56793 The VNF **MUST** test for adherence to the defined performance - budgets at each layer, during each delivery cycle with delivered - results, so that the performance budget is measured and the code - is adjusted to meet performance budget. -* R-77667 The VNF **MUST** test for adherence to the defined performance - budget at each layer, during each delivery cycle so that the performance - budget is measured and feedback is provided where the performance budget - is not met. -* R-49308 The VNF **SHOULD** test for adherence to the defined resiliency - rating recommendation at each layer, during each delivery cycle with - delivered results, so that the resiliency rating is measured and the - code is adjusted to meet software resiliency requirements. -* R-16039 The VNF **SHOULD** test for adherence to the defined - resiliency rating recommendation at each layer, during each - delivery cycle so that the resiliency rating is measured and - feedback is provided where software resiliency requirements are - not met. - -Monitoring & Dashboard -^^^^^^^^^^^^^^^^^^^^^^^^^ - -Promote dashboarding as a tool to monitor and support the general -operational health of a system. It is critical to the support of the -implementation of many resiliency patterns essential to the maintenance -of the system. It can help identify unusual conditions that might -indicate failure or the potential for failure. This would contribute to -improve Mean Time to Identify (MTTI), Mean Time to Repair (MTTR), and -post-incident diagnostics. - -Monitoring & Dashboard Requirements - -* R-34957 The VNF **MUST** provide a method of metrics gathering for each - layer's performance to identify/document variances in the allocations so - they can be addressed. -* R-49224 The VNF **MUST** provide unique traceability of a transaction - through its life cycle to ensure quick and efficient troubleshooting. -* R-52870 The VNF **MUST** provide a method of metrics gathering - and analysis to evaluate the resiliency of the software from both - a granular as well as a holistic standpoint. This includes, but is - not limited to thread utilization, errors, timeouts, and retries. -* R-92571 The VNF **MUST** provide operational instrumentation such as - logging, so as to facilitate quick resolution of issues with the VNF to - provide service continuity. -* R-48917 The VNF **MUST** monitor for and alert on (both sender and - receiver) errant, running longer than expected and missing file transfers, - so as to minimize the impact due to file transfer errors. -* R-28168 The VNF **SHOULD** use an appropriately configured logging - level that can be changed dynamically, so as to not cause performance - degradation of the VNF due to excessive logging. -* R-87352 The VNF **SHOULD** utilize Cloud health checks, when available - from the Network Cloud, from inside the application through APIs to check - the network connectivity, dropped packets rate, injection, and auto failover - to alternate sites if needed. -* R-16560 The VNF **SHOULD** conduct a resiliency impact assessment for all - inter/intra-connectivity points in the VNF to provide an overall resiliency - rating for the VNF to be incorporated into the software design and - development of the VNF. - -VNF Security ----------------------- - -The objective of this section is to provide the key security -requirements that need to be met by VNFs. The security requirements are -grouped into five areas as listed below. Other security areas will be -addressed in future updates. These security requirements are applicable -to all VNFs. Additional security requirements for specific types of VNFs -will be applicable and are outside the scope of these general -requirements. - -Section 5.a Security in *VNF Guidelines* outlines -the five broad security areas for VNFs that are detailed in the -following sections: - -- **VNF General Security**: This section addresses general security - requirements for the VNFs that the VNF provider will need to address. - -- **VNF Identity and Access Management**: This section addresses - security requirements with respect to Identity and Access Management - as these pertain to generic VNFs. - -- **VNF API Security**: This section addresses the generic security - requirements associated with APIs. These requirements are applicable - to those VNFs that use standard APIs for communication and data - exchange. - -- **VNF Security Analytics**: This section addresses the security - requirements associated with analytics for VNFs that deal with - monitoring, data collection and analysis. - -- **VNF Data Protection**: This section addresses the security - requirements associated with data protection. - -VNF General Security Requirements -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -This section provides details on the VNF general security requirements -on various security areas such as user access control, network security, -ACLs, infrastructure security, and vulnerability management. These -requirements cover topics associated with compliance, security patching, -logging/accounting, authentication, encryption, role-based access -control, least privilege access/authorization. The following security -requirements need to be met by the solution in a virtual environment: - -General Security Requirements - -Integration and operation within a robust security environment is necessary -and expected. The security architecture will include one or more of the -following: IDAM (Identity and Access Management) for all system and -applications access, Code scanning, network vulnerability scans, OS, -Database and application patching, malware detection and cleaning, -DDOS prevention, network security gateways (internal and external) -operating at various layers, host and application based tools for -security compliance validation, aggressive security patch application, -tightly controlled software distribution and change control processes -and other state of the art security solutions. The VNF is expected to -function reliably within such an environment and the developer is -expected to understand and accommodate such controls and can expected -to supply responsive interoperability support and testing throughout -the product’s lifecycle. - -* R-23740 The VNF **MUST** accommodate the security principle of - “least privilege” during development, implementation and operation. - The importance of “least privilege” cannot be overstated and must be - observed in all aspects of VNF development and not limited to security. - This is applicable to all sections of this document. -* R-61354 The VNF **MUST** implement access control list for OA&M - services (e.g., restricting access to certain ports or applications). -* R-85633 The VNF **MUST** implement Data Storage Encryption - (database/disk encryption) for Sensitive Personal Information (SPI) - and other subscriber identifiable data. Note: subscriber’s SPI/data - must be encrypted at rest, and other subscriber identifiable data - should be encrypted at rest. Other data protection requirements exist - and should be well understood by the developer. -* R-92207 The VNF **SHOULD** implement a mechanism for automated and - frequent "system configuration (automated provisioning / closed loop)" - auditing. -* R-23882 The VNF **SHOULD** be scanned using both network scanning - and application scanning security tools on all code, including underlying - OS and related configuration. Scan reports shall be provided. Remediation - roadmaps shall be made available for any findings. -* R-46986 The VNF **SHOULD** have source code scanned using scanning - tools (e.g., Fortify) and provide reports. -* R-55830 The VNF **MUST** distribute all production code from NCSP - internal sources only. No production code, libraries, OS images, etc. - shall be distributed from publically accessible depots. -* R-99771 The VNF **MUST** provide all code/configuration files in a - "Locked down" or hardened state or with documented recommendations for - such hardening. All unnecessary services will be disabled. VNF provider - default credentials, community strings and other such artifacts will be - removed or disclosed so that they can be modified or removed during - provisioning. -* R-19768 The VNF **SHOULD** support L3 VPNs that enable segregation of - traffic by application (dropping packets not belonging to the VPN) (i.e., - AVPN, IPSec VPN for Internet routes). -* R-33981 The VNF **SHOULD** interoperate with various access control - mechanisms for the Network Cloud execution environment (e.g., - Hypervisors, containers). -* R-40813 The VNF **SHOULD** support the use of virtual trusted platform - module, hypervisor security testing and standards scanning tools. -* R-56904 The VNF **MUST** interoperate with the ONAP (SDN) Controller so that - it can dynamically modify the firewall rules, ACL rules, QoS rules, virtual - routing and forwarding rules. -* R-26586 The VNF **SHOULD** support the ability to work with aliases - (e.g., gateways, proxies) to protect and encapsulate resources. -* R-49956 The VNF **MUST** pass all access to applications (Bearer, - signaling and OA&M) through various security tools and platforms from - ACLs, stateful firewalls and application layer gateways depending on - manner of deployment. The application is expected to function (and in - some cases, interwork) with these security tools. -* R-69649 The VNF **MUST** have all vulnerabilities patched as soon - as possible. Patching shall be controlled via change control process - with vulnerabilities disclosed along with mitigation recommendations. -* R-78010 The VNF **MUST** use the NCSP’s IDAM API for Identification, - authentication and access control of customer or VNF application users. -* R-42681 The VNF **MUST** use the NCSP’s IDAM API or comply with - the requirements if not using the NCSP’s IDAM API, for identification, - authentication and access control of OA&M and other system level - functions. -* R-68589 The VNF **MUST**, if not using the NCSP’s IDAM API, support - User-IDs and passwords to uniquely identify the user/application. VNF - needs to have appropriate connectors to the Identity, Authentication - and Authorization systems that enables access at OS, Database and - Application levels as appropriate. -* R-52085 The VNF **MUST**, if not using the NCSP’s IDAM API, provide - the ability to support Multi-Factor Authentication (e.g., 1st factor = - Software token on device (RSA SecureID); 2nd factor = User Name+Password, - etc.) for the users. -* R-98391 The VNF **MUST**, if not using the NCSP’s IDAM API, support - Role-Based Access Control to permit/limit the user/application to - performing specific activities. -* R-63217 The VNF **MUST**, if not using the NCSP’s IDAM API, support - logging via ONAP for a historical view of “who did what and when”. -* R-62498 The VNF **MUST**, if not using the NCSP’s IDAM API, encrypt - OA&M access (e.g., SSH, SFTP). -* R-79107 The VNF **MUST**, if not using the NCSP’s IDAM API, enforce - a configurable maximum number of Login attempts policy for the users. - VNF provider must comply with "terminate idle sessions" policy. - Interactive sessions must be terminated, or a secure, locking screensaver - must be activated requiring authentication, after a configurable period - of inactivity. The system-based inactivity timeout for the enterprise - identity and access management system must also be configurable. -* R-35144 The VNF **MUST**, if not using the NCSP’s IDAM API, comply - with the NCSP’s credential management policy. -* R-75041 The VNF **MUST**, if not using the NCSP’s IDAM API, expire - passwords at regular configurable intervals. -* R-46908 The VNF **MUST**, if not using the NCSP’s IDAM API, comply - with "password complexity" policy. When passwords are used, they shall - be complex and shall at least meet the following password construction - requirements: (1) be a minimum configurable number of characters in - length, (2) include 3 of the 4 following types of characters: - upper-case alphabetic, lower-case alphabetic, numeric, and special, - (3) not be the same as the UserID with which they are associated or - other common strings as specified by the environment, (4) not contain - repeating or sequential characters or numbers, (5) not to use special - characters that may have command functions, and (6) new passwords must - not contain sequences of three or more characters from the previous - password. -* R-39342 The VNF **MUST**, if not using the NCSP’s IDAM API, comply - with "password changes (includes default passwords)" policy. Products - will support password aging, syntax and other credential management - practices on a configurable basis. -* R-40521 The VNF **MUST**, if not using the NCSP’s IDAM API, support - use of common third party authentication and authorization tools such - as TACACS+, RADIUS. -* R-41994 The VNF **MUST**, if not using the NCSP’s IDAM API, comply - with "No Self-Signed Certificates" policy. Self-signed certificates - must be used for encryption only, using specified and approved - encryption protocols such as TLS 1.2 or higher or equivalent security - protocols such as IPSec, AES. -* R-23135 The VNF **MUST**, if not using the NCSP’s IDAM API, - authenticate system to system communications where one system - accesses the resources of another system, and must never conceal - individual accountability. - -VNF Identity and Access Management Requirements -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -The following security requirements for logging, identity, and access -management need to be met by the solution in a virtual environment: - - -Identity and Access Management Requirements - -* R-95105 The VNF **MUST** host connectors for access to the application - layer. -* R-45496 The VNF **MUST** host connectors for access to the OS - (Operating System) layer. -* R-05470 The VNF **MUST** host connectors for access to the database layer. -* R-99174 The VNF **MUST** comply with Individual Accountability - (each person must be assigned a unique ID) when persons or non-person - entities access VNFs. -* R-42874 The VNF **MUST** comply with Least Privilege (no more - privilege than required to perform job functions) when persons - or non-person entities access VNFs. -* R-71787 The VNF **MUST** comply with Segregation of Duties (access to a - single layer and no developer may access production without special - oversight) when persons or non-person entities access VNFs. -* R-86261 The VNF **MUST NOT** allow VNF provider access to VNFs remotely. -* R-49945 The VNF **MUST** authorize VNF provider access through a - client application API by the client application owner and the resource - owner of the VNF before provisioning authorization through Role Based - Access Control (RBAC), Attribute Based Access Control (ABAC), or other - policy based mechanism. -* R-31751 The VNF **MUST** subject VNF provider access to privilege - reconciliation tools to prevent access creep and ensure correct - enforcement of access policies. -* R-34552 The VNF **MUST** provide or support the Identity and Access - Management (IDAM) based threat detection data for OWASP Top 10. -* R-29301 The VNF **MUST** provide or support the Identity and Access - Management (IDAM) based threat detection data for Password Attacks. -* R-72243 The VNF **MUST** provide or support the Identity and Access - Management (IDAM) based threat detection data for Phishing / SMishing. -* R-58998 The VNF **MUST** provide or support the Identity and Access - Management (IDAM) based threat detection data for Malware (Key Logger). -* R-14025 The VNF **MUST** provide or support the Identity and Access - Management (IDAM) based threat detection data for Session Hijacking. -* R-31412 The VNF **MUST** provide or support the Identity and Access - Management (IDAM) based threat detection data for XSS / CSRF. -* R-51883 The VNF **MUST** provide or support the Identity and Access - Management (IDAM) based threat detection data for Replay. -* R-44032 The VNF **MUST** provide or support the Identity and Access - Management (IDAM) based threat detection data for Man in the Middle (MITM). -* R-58977 The VNF **MUST** provide or support the Identity and Access - Management (IDAM) based threat detection data for Eavesdropping. -* R-24825 The VNF **MUST** provide Context awareness data (device, - location, time, etc.) and be able to integrate with threat detection system. -* R-59391 The VNF provider **MUST**, where a VNF provider requires - the assumption of permissions, such as root or administrator, first - log in under their individual user login ID then switch to the other - higher level account; or where the individual user login is infeasible, - must login with an account with admin privileges in a way that - uniquely identifies the individual performing the function. -* R-85028 The VNF **MUST** authenticate system to system access and - do not conceal a VNF provider user’s individual accountability for - transactions. -* R-80335 The VNF **MUST** make visible a Warning Notice: A formal - statement of resource intent, i.e., a warning notice, upon initial - access to a VNF provider user who accesses private internal networks - or Company computer resources, e.g., upon initial logon to an internal - web site, system or application which requires authentication. -* R-73541 The VNF **MUST** use access controls for VNFs and their - supporting computing systems at all times to restrict access to - authorized personnel only, e.g., least privilege. These controls - could include the use of system configuration or access control - software. -* R-64503 The VNF **MUST** provide minimum privileges for initial - and default settings for new user accounts. -* R-86835 The VNF **MUST** set the default settings for user access - to sensitive commands and data to deny authorization. -* R-77157 The VNF **MUST** conform to approved request, workflow - authorization, and authorization provisioning requirements when - creating privileged users. -* R-81147 The VNF **MUST** have greater restrictions for access and - execution, such as up to 3 factors of authentication and restricted - authorization, for commands affecting network services, such as - commands relating to VNFs. -* R-49109 The VNF **MUST** encrypt TCP/IP--HTTPS (e.g., TLS v1.2) - transmission of data on internal and external networks. -* R-39562 The VNF **MUST** disable unnecessary or vulnerable cgi-bin programs. -* R-15671 The VNF **MUST NOT** provide public or unrestricted access - to any data without the permission of the data owner. All data - classification and access controls must be followed. -* R-89753 The VNF **MUST NOT** install or use systems, tools or - utilities capable of capturing or logging data that was not created - by them or sent specifically to them in production, without - authorization of the VNF system owner. -* R-19082 The VNF **MUST NOT** run security testing tools and - programs, e.g., password cracker, port scanners, hacking tools - in production, without authorization of the VNF system owner. -* R-19790 The VNF **MUST NOT** include authentication credentials - in security audit logs, even if encrypted. -* R-85419 The VNF **SHOULD** use REST APIs exposed to Client - Applications for the implementation of OAuth 2.0 Authorization - Code Grant and Client Credentials Grant, as the standard interface - for a VNF. -* R-48080 The VNF **SHOULD** support SCEP (Simple Certificate - Enrollment Protocol). - - -VNF API Security Requirements -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -This section covers API security requirements when these are used by the -VNFs. Key security areas covered in API security are Access Control, -Authentication, Passwords, PKI Authentication Alarming, Anomaly -Detection, Lawful Intercept, Monitoring and Logging, Input Validation, -Cryptography, Business continuity, Biometric Authentication, -Identification, Confidentiality and Integrity, and Denial of Service. - -The solution in a virtual environment needs to meet the following API -security requirements: - - -API Requirements - -* R-37608 The VNF **MUST** provide a mechanism to restrict access based - on the attributes of the VNF and the attributes of the subject. -* R-43884 The VNF **MUST** integrate with external authentication - and authorization services (e.g., IDAM). -* R-25878 The VNF **MUST** use certificates issued from publicly - recognized Certificate Authorities (CA) for the authentication process - where PKI-based authentication is used. -* R-19804 The VNF **MUST** validate the CA signature on the certificate, - ensure that the date is within the validity period of the certificate, - check the Certificate Revocation List (CRL), and recognize the identity - represented by the certificate where PKI-based authentication is used. -* R-47204 The VNF **MUST** protect the confidentiality and integrity of - data at rest and in transit from unauthorized access and modification. -* R-33488 The VNF **MUST** protect against all denial of service - attacks, both volumetric and non-volumetric, or integrate with external - denial of service protection tools. -* R-21652 The VNF **MUST** implement the following input validation - control: Check the size (length) of all input. Do not permit an amount - of input so great that it would cause the VNF to fail. Where the input - may be a file, the VNF API must enforce a size limit. -* R-54930 The VNF **MUST** implement the following input validation - control: Do not permit input that contains content or characters - inappropriate to the input expected by the design. Inappropriate input, - such as SQL insertions, may cause the system to execute undesirable - and unauthorized transactions against the database or allow other - inappropriate access to the internal network. -* R-21210 The VNF **MUST** implement the following input validation - control: Validate that any input file has a correct and valid - Multipurpose Internet Mail Extensions (MIME) type. Input files - should be tested for spoofed MIME types. -* R-23772 The VNF **MUST** validate input at all layers implementing VNF APIs. -* R-87135 The VNF **MUST** comply with NIST standards and industry - best practices for all implementations of cryptography. -* R-02137 The VNF **MUST** implement all monitoring and logging as - described in the Security Analytics section. -* R-15659 The VNF **MUST** restrict changing the criticality level of - a system security alarm to administrator(s). -* R-19367 The VNF **MUST** monitor API invocation patterns to detect - anomalous access patterns that may represent fraudulent access or - other types of attacks, or integrate with tools that implement anomaly - and abuse detection. -* R-78066 The VNF **MUST** support requests for information from law - enforcement and government agencies. - - -VNF Security Analytics Requirements -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -This section covers VNF security analytics requirements that are mostly -applicable to security monitoring. The VNF Security Analytics cover the -collection and analysis of data following key areas of security -monitoring: - -- Anti-virus software - -- Logging - -- Data capture - -- Tasking - -- DPI - -- API based monitoring - -- Detection and notification - -- Resource exhaustion detection - -- Proactive and scalable monitoring - -- Mobility and guest VNF monitoring - -- Closed loop monitoring - -- Interfaces to management and orchestration - -- Malformed packet detections - -- Service chaining - -- Dynamic security control - -- Dynamic load balancing - -- Connection attempts to inactive ports (malicious port scanning) - -The following requirements of security monitoring need to be met by the -solution in a virtual environment. - -Security Analytics Requirements - -* R-48470 The VNF **MUST** support Real-time detection and - notification of security events. -* R-22286 The VNF **MUST** support Integration functionality via - API/Syslog/SNMP to other functional modules in the network (e.g., - PCRF, PCEF) that enable dynamic security control by blocking the - malicious traffic or malicious end users -* R-32636 The VNF **MUST** support API-based monitoring to take care of - the scenarios where the control interfaces are not exposed, or are - optimized and proprietary in nature. -* R-61648 The VNF **MUST** support event logging, formats, and delivery - tools to provide the required degree of event data to ONAP -* R-22367 The VNF **MUST** support detection of malformed packets due to - software misconfiguration or software vulnerability. -* R-31961 The VNF **MUST** support integrated DPI/monitoring functionality - as part of VNFs (e.g., PGW, MME). -* R-20912 The VNF **MUST** support alternative monitoring capabilities - when VNFs do not expose data or control traffic or use proprietary and - optimized protocols for inter VNF communication. -* R-73223 The VNF **MUST** support proactive monitoring to detect and - report the attacks on resources so that the VNFs and associated VMs can - be isolated, such as detection techniques for resource exhaustion, namely - OS resource attacks, CPU attacks, consumption of kernel memory, local - storage attacks. -* R-58370 The VNF **MUST** coexist and operate normally with commercial - anti-virus software which shall produce alarms every time when there is a - security incident. -* R-56920 The VNF **MUST** protect all security audit logs (including - API, OS and application-generated logs), security audit software, data, - and associated documentation from modification, or unauthorized viewing, - by standard OS access control mechanisms, by sending to a remote system, - or by encryption. -* R-54520 The VNF **MUST** log successful and unsuccessful login attempts. -* R-55478 The VNF **MUST** log logoffs. -* R-08598 The VNF **MUST** log successful and unsuccessful changes to - a privilege level. -* R-13344 The VNF **MUST** log starting and stopping of security - logging. -* R-07617 The VNF **MUST** log creating, removing, or changing the - inherent privilege level of users. -* R-94525 The VNF **MUST** log connections to a network listener of the - resource. -* R-31614 The VNF **MUST** log the field “event type” in the security - audit logs. -* R-97445 The VNF **MUST** log the field “date/time” in the security - audit logs. -* R-25547 The VNF **MUST** log the field “protocol” in the security audit logs. -* R-06413 The VNF **MUST** log the field “service or program used for - access” in the security audit logs. -* R-15325 The VNF **MUST** log the field “success/failure” in the - security audit logs. -* R-89474 The VNF **MUST** log the field “Login ID” in the security audit logs. -* R-04982 The VNF **MUST NOT** include an authentication credential, - e.g., password, in the security audit logs, even if encrypted. -* R-63330 The VNF **MUST** detect when the security audit log storage - medium is approaching capacity (configurable) and issue an alarm via - SMS or equivalent as to allow time for proper actions to be taken to - pre-empt loss of audit data. -* R-41252 The VNF **MUST** support the capability of online storage of - security audit logs. -* R-41825 The VNF **MUST** activate security alarms automatically when - the following event is detected: configurable number of consecutive - unsuccessful login attempts -* R-43332 The VNF **MUST** activate security alarms automatically when - the following event is detected: successful modification of critical - system or application files -* R-74958 The VNF **MUST** activate security alarms automatically when - the following event is detected: unsuccessful attempts to gain permissions - or assume the identity of another user -* R-15884 The VNF **MUST** include the field “date” in the Security alarms - (where applicable and technically feasible). -* R-23957 The VNF **MUST** include the field “time” in the Security alarms - (where applicable and technically feasible). -* R-71842 The VNF **MUST** include the field “service or program used for - access” in the Security alarms (where applicable and technically feasible). -* R-57617 The VNF **MUST** include the field “success/failure” in the - Security alarms (where applicable and technically feasible). -* R-99730 The VNF **MUST** include the field “Login ID” in the Security - alarms (where applicable and technically feasible). -* R-29705 The VNF **MUST** restrict changing the criticality level of a - system security alarm to administrator(s). -* R-13627 The VNF **MUST** monitor API invocation patterns to detect - anomalous access patterns that may represent fraudulent access or other - types of attacks, or integrate with tools that implement anomaly and - abuse detection. -* R-21819 The VNF **MUST** support requests for information from law - enforcement and government agencies. -* R-56786 The VNF **MUST** implement “Closed Loop” automatic implementation - (without human intervention) for Known Threats with detection rate in low - false positives. -* R-25094 The VNF **MUST** perform data capture for security functions. -* R-04492 The VNF **MUST** generate security audit logs that must be sent - to Security Analytics Tools for analysis. -* R-19219 The VNF **MUST** provide audit logs that include user ID, dates, - times for log-on and log-off, and terminal location at minimum. -* R-30932 The VNF **MUST** provide security audit logs including records - of successful and rejected system access data and other resource access - attempts. -* R-54816 The VNF **MUST** support the storage of security audit logs - for agreed period of time for forensic analysis. -* R-57271 The VNF **MUST** provide the capability of generating security - audit logs by interacting with the operating system (OS) as appropriate. -* R-84160 The VNF **MUST** have security logging for VNFs and their - OSs be active from initialization. Audit logging includes automatic - routines to maintain activity records and cleanup programs to ensure - the integrity of the audit/logging systems. - -VNF Data Protection Requirements -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -This section covers VNF data protection requirements that are mostly -applicable to security monitoring. - - -Data Protection Requirements - -* R-58964 The VNF **MUST** provide the capability to restrict read - and write access to data. -* R-99112 The VNF **MUST** provide the capability to restrict access - to data to specific users. -* R-83227 The VNF **MUST** Provide the capability to encrypt data in - transit on a physical or virtual network. -* R-32641 The VNF **MUST** provide the capability to encrypt data on - non-volatile memory. -* R-13151 The VNF **SHOULD** disable the paging of the data requiring - encryption, if possible, where the encryption of non-transient data is - required on a device for which the operating system performs paging to - virtual memory. If not possible to disable the paging of the data - requiring encryption, the virtual memory should be encrypted. -* R-93860 The VNF **MUST** provide the capability to integrate with an - external encryption service. -* R-73067 The VNF **MUST** use industry standard cryptographic algorithms - and standard modes of operations when implementing cryptography. -* R-22645 The VNF **SHOULD** use commercial algorithms only when there - are no applicable governmental standards for specific cryptographic - functions, e.g., public key cryptography, message digests. -* R-12467 The VNF **MUST NOT** use the SHA, DSS, MD5, SHA-1 and - Skipjack algorithms or other compromised encryption. -* R-02170 The VNF **MUST** use, whenever possible, standard implementations - of security applications, protocols, and format, e.g., S/MIME, TLS, SSH, - IPSec, X.509 digital certificates for cryptographic implementations. - These implementations must be purchased from reputable vendors and must - not be developed in-house. -* R-70933 The VNF **MUST** provide the ability to migrate to newer - versions of cryptographic algorithms and protocols with no impact. -* R-44723 The VNF **MUST** use symmetric keys of at least 112 bits in length. -* R-25401 The VNF **MUST** use asymmetric keys of at least 2048 bits in length. -* R-95864 The VNF **MUST** use commercial tools that comply with X.509 - standards and produce x.509 compliant keys for public/private key generation. -* R-12110 The VNF **MUST NOT** use keys generated or derived from - predictable functions or values, e.g., values considered predictable - include user identity information, time of day, stored/transmitted data. -* R-52060 The VNF **MUST** provide the capability to configure encryption - algorithms or devices so that they comply with the laws of the jurisdiction - in which there are plans to use data encryption. -* R-69610 The VNF **MUST** provide the capability of using certificates - issued from a Certificate Authority not provided by the VNF provider. -* R-83500 The VNF **MUST** provide the capability of allowing certificate - renewal and revocation. -* R-29977 The VNF **MUST** provide the capability of testing the validity - of a digital certificate by validating the CA signature on the certificate. -* R-24359 The VNF **MUST** provide the capability of testing the validity - of a digital certificate by validating the date the certificate is being - used is within the validity period for the certificate. -* R-39604 The VNF **MUST** provide the capability of testing the - validity of a digital certificate by checking the Certificate Revocation - List (CRL) for the certificates of that type to ensure that the - certificate has not been revoked. -* R-75343 The VNF **MUST** provide the capability of testing the - validity of a digital certificate by recognizing the identity represented - by the certificate — the "distinguished name". - -VNF Modularity ---------------------------- - -ONAP Heat Orchestration Templates: Overview -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -ONAP supports a modular Heat Orchestration Template design pattern, -referred to as *VNF Modularity.* - -ONAP VNF Modularity Overview -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -With VNF Modularity, a single VNF may be composed from one or more Heat -Orchestration Templates, each of which represents a subset of the -overall VNF. These component parts are referred to as “\ *VNF -Modules*\ ”. During orchestration, these modules are deployed -incrementally to create the complete VNF. - -A modular Heat Orchestration Template can be either one of the following -types: - -1. Base Module - -2. Incremental Module - -3. Cinder Volume Module - -* R-37028 The VNF **MUST** be composed of one “base” module. -* R-41215 The VNF **MAY** have zero to many “incremental” modules. -* R-20974 The VNF **MUST** deploy the base module first, prior to - the incremental modules. - -ONAP also supports the concept of an optional, independently deployed -Cinder volume via a separate Heat Orchestration Templates, referred to -as a Cinder Volume Module. This allows the volume to persist after a -Virtual Machine (VM) (i.e., OS::Nova::Server) is deleted, allowing the -volume to be reused on another instance (e.g., during a failover -activity). - -* R-11200 The VNF **MUST** keep the scope of a Cinder volume module, - when it exists, to be 1:1 with the VNF Base Module or Incremental Module. - -* R-38474 The VNF **MUST** have a corresponding environment file for - a Base Module. -* R-81725 The VNF **MUST** have a corresponding environment file for - an Incremental Module. -* R-53433 The VNF **MUST** have a corresponding environment file for - a Cinder Volume Module. - -These concepts will be described in more detail throughout the document. -This overview is provided to set the stage and help clarify the concepts -that will be introduced. - - -ONAP VNF Modularity -^^^^^^^^^^^^^^^^^^^^^^ - -ONAP supports a modular Heat Orchestration Template design pattern, -referred to as *VNF Modularity.* With this approach, a single VNF may be -composed from one or more Heat Orchestration Templates, each of which -represents a subset of the overall VNF. These component parts are -referred to as “\ *VNF Modules*\ ”. During orchestration, these modules -are deployed incrementally to create the complete VNF. - -A modular Heat Orchestration Template can be either one of the following -types: - -1. Base Module - -2. Incremental Module - -3. Cinder Volume Module - -A VNF must be composed of one “base” module and may be composed of zero -to many “incremental” modules. The base module must be deployed first, -prior to the incremental modules. - -ONAP also supports the concept of an optional, independently deployed -Cinder volume via a separate Heat Orchestration Templates, referred to -as a Cinder Volume Module. This allows the volume to persist after a VM -(i.e., OS::Nova::Server) is deleted, allowing the volume to be reused on -another instance (e.g., during a failover activity). - -The scope of a Cinder volume module, when it exists, must be 1:1 with a -Base module or Incremental Module. - -A Base Module must have a corresponding environment file. - -An Incremental Module must have a corresponding environment file. - -A Cinder Volume Module must have a corresponding environment file. - -A VNF module (base, incremental, cinder) may support nested templates. - -A shared Heat Orchestration Template resource must be defined in the -base module. A shared resource is a resource that that will be -referenced by another resource that is defined in the Base Module and/or -one or more incremental modules. - -When the shared resource needs to be referenced by a resource in an -incremental module, the UUID of the shared resource must be exposed by -declaring an ONAP Base Module Output Parameter. - -Note that a Cinder volume is *not* a shared resource. A volume template -must correspond 1:1 with a base module or incremental module. - -An example of a shared resource is the resource -OS::Neutron::SecurityGroup. Security groups are sets of IP filter rules -that are applied to a VNF’s networking. The resource OS::Neutron::Port -has a property security\_groups which provides the security groups -associated with port. The value of parameter(s) associated with this -property must be the UUIDs of the resource(s) -OS::Neutron::SecurityGroup. - -*Note:* A Cinder volume is *not* considered a shared resource. A volume -template must correspond 1:1 with a base template or add-on module -template. - -Suggested Patterns for Modular VNFs -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -There are numerous variations of VNF modularity. Below are two suggested -usage patterns. - -**Option 1: Modules per VNFC type** - -a. Base module contains only the shared resources. - -b. Group all VMs (e.g., VNFCs) of a given type (i.e. {vm-type}) into its - own incremental module. That is, the VNF has an incremental module - for each {vm-type}. - -c. For a given {vm-type} incremental module, the VNF may have - - i. One incremental module used for both initial turn up and re-used - for scaling. This approach is used when the number of VMs - instantiated will be the same for initial deployment and scaling. - - ii. Two incremental modules, where one is used for initial turn up - and one is used for scaling. This approach is used when the - number of VMs instantiated will be different for initial - deployment and scaling. - -**Option 2: Base VNF with Incremental Growth Modules** - -a. Base module contains a complete initial VNF instance - -b. Incremental modules for incremental scaling units - - i. May contain VMs of multiple types in logical scaling combinations - - ii. May be separated by VM type for multi-dimensional scaling - -With no growth units, Option 2 is equivalent to the “One Heat Template -per VNF” model. - -Note that modularization of VNFs is not required. A single Heat -Orchestration Template (a base module) may still define a complete VNF, -which might be appropriate for smaller VNFs that do not have any scaling -options. - -Modularity Rules -^^^^^^^^^^^^^^^^^^^ - -There are some rules to follow when building modular VNF templates: - -1. All VNFs must have one Base VNF Module (template) that must be the - first one deployed. The base template: - - a. Must include all shared resources (e.g., private networks, server - groups, security groups) - - b. Must expose all shared resources (by UUID) as “outputs” in its - associated Heat template (i.e., ONAP Base Module Output - Parameters) - - c. May include initial set of VMs - - d. May be operational as a stand-alone “minimum” configuration of the - VNF - -2. VNFs may have one or more incremental modules which: - - a. Defines additional resources that can be added to an existing VNF - - b. Must be complete Heat templates - - i. i.e. not snippets to be incorporated into some larger template - - c. Should define logical growth-units or sub-components of an overall - VNF - - d. On creation, receives appropriate Base Module outputs as - parameters - - i. Provides access to all shared resources (by UUID) - - ii. must not be dependent on other Add-On VNF Modules - - e. Multiple instances of an incremental Module may be added to the - same VNF (e.g., incrementally grow a VNF by a fixed “add-on” - growth units) - -3. Each VNF Module (base or incremental) may have (optional) an - associated Cinder Volume Module (see Cinder Volume Templates) - - a. Volume modules must correspond 1:1 with a base module or - incremental module - - b. A Cinder volume may be embedded within the base module or - incremental module if persistence is not required - -4. Shared resource UUIDs are passed between the base module and - incremental modules via Heat Outputs Parameters (i.e., Base Module - Output Parameters) - - a. The output parameter name in the base must match the parameter - name in the add-on module - -VNF Modularity Examples -^^^^^^^^^^^^^^^^^^^^^^^^^^ - -*Example: Base Module creates SecurityGroup* - -A VNF has a base module, named base.yaml, that defines a -OS::Neutron::SecurityGroup. The security group will be referenced by an -OS::Neutron::Port resource in an incremental module, named -INCREMENTAL\_MODULE.yaml. The base module defines a parameter in the out -section named dns\_sec\_grp\_id. dns\_sec\_grp\_id is defined as a -parameter in the incremental module. ONAP captures the UUID value of -dns\_sec\_grp\_id from the base module output statement and provides the -value to the incremental module. - -Note that the example below is not a complete Heat Orchestration -Template. The {network-role} has been defined as oam to represent an oam -network and the {vm-type} has been defined as dns. - -base\_MODULE.yaml - -.. code-block:: yaml - - parameters: - . . . - - resources: - DNS_SECURITY_GROUP: - type: OS::Neutron::SecurityGroup - properties: - description: vDNS security group - name: - str_replace: - template: VNF_NAME_sec_grp_DNS - params: - VMF_NAME: {get_param: vnf_name} - rules: [. . . . . - - . . . - - outputs: - dns_sec_grp_id: - description: UUID of DNS Resource SecurityGroup - value: { get_resource: DNS_SECURITY_GROUP } - - -INCREMENTAL\_MODULE.yaml - -.. code-block:: yaml - - parameters: - dns_sec_grp_id: - type: string - description: security group UUID - . . . - - resources: - dns_oam_0_port: - type: OS::Neutron::Port - properties: - name: - str_replace: - template: VNF_NAME_dns_oam_port - params: - VNF_NAME: {get_param: vnf_name} - network: { get_param: oam_net_name } - fixed_ips: [{ "ip_address": { get_param: dns_oam_ip_0 }}] - security_groups: [{ get_param: dns_sec_grp_id }] - - -*Examples: Base Module creates an internal network* - -A VNF has a base module, named base\_module.yaml, that creates an -internal network. An incremental module, named incremental\_module.yaml, -will create a VM that will connect to the internal network. The base -module defines a parameter in the out section named int\_oam\_net\_id. -int\_oam\_net\_id is defined as a parameter in the incremental module. -ONAP captures the UUID value of int\_oam\_net\_id from the base module -output statement and provides the value to the incremental module. - -Note that the example below is not a complete Heat Orchestration -Template. The {network-role} has been defined as oam to represent an oam -network and the {vm-type} has been defined as lb for load balancer. - -base.yaml - -.. code-block:: yaml - - heat_template_version: 2013-05-23 - - resources: - int_oam_network: - type: OS::Neutron::Network - properties: - name: {… } - . . . - outputs: - int_oam_net_id: - value: {get_resource: int_oam_network } - - -incremental.yaml - -.. code-block:: yaml - - heat_template_version: 2013-05-23 - - parameters: - int_oam_net_id: - type: string - description: ID of shared private network from Base template - lb_name_0: - type: string - description: name for the add-on VM instance - - Resources: - lb_server: - type: OS::Nova::Server - properties: - name: {get_param: lb_name_0} - networks: - - port: { get_resource: lb_port } - . . . - - lb_port: - type: OS::Neutron::Port - properties: - network_id: { get_param: int_oam_net_id } - ... - -VNF Devops ---------------------- - -This section includes guidelines for VNF providers to ensure that a Network -Cloud Service Provider’s operations personnel have a common and -consistent way to support VNFs and VNFCs. - -NCSPs may elect to support standard images to enable compliance with -security, audit, regulatory and other needs. As part of the overall VNF -software bundle, VNF suppliers using standard images would typically -provide the NCSP with an install package consistent with the default OS -package manager (e.g. aptitude for Ubuntu, yum for Redhat/CentOS). - -Section 5.a DevOps in *VNF Guidelines* describes -the DevOps guidelines for VNFs. - -DevOps Requirements - -* R-46960 NCSPs **MAY** operate a limited set of Guest OS and CPU - architectures and families, virtual machines, etc. -* R-23475 VNFCs **SHOULD** be agnostic to the details of the Network Cloud - (such as hardware, host OS, Hypervisor or container technology) and must run - on the Network Cloud with acknowledgement to the paradigm that the Network - Cloud will continue to rapidly evolve and the underlying components of - the platform will change regularly. -* R-33846 The VNF **MUST** install the NCSP required software on Guest OS - images when not using the NCSP provided Guest OS images. [1]_ -* R-09467 The VNF **MUST** utilize only NCSP standard compute flavors. [1]_ -* R-02997 The VNF **MUST** preserve their persistent data. Running VMs - will not be backed up in the Network Cloud infrastructure. -* R-29760 The VNFC **MUST** be installed on non-root file systems, - unless software is specifically included with the operating system - distribution of the guest image. -* R-20860 The VNF **MUST** be agnostic to the underlying infrastructure - (such as hardware, host OS, Hypervisor), any requirements should be - provided as specification to be fulfilled by any hardware. -* R-89800 The VNF **MUST NOT** require Hypervisor-level customization - from the cloud provider. -* R-86758 The VNF **SHOULD** provide an automated test suite to validate - every new version of the software on the target environment(s). The tests - should be of sufficient granularity to independently test various - representative VNF use cases throughout its lifecycle. Operations might - choose to invoke these tests either on a scheduled basis or on demand to - support various operations functions including test, turn-up and - troubleshooting. -* R-39650 The VNF **SHOULD** provide the ability to test incremental - growth of the VNF. -* R-14853 The VNF **MUST** respond to a "move traffic" [2]_ command - against a specific VNFC, moving all existing session elsewhere with - minimal disruption if a VNF provides a load balancing function across - multiple instances of its VNFCs. Note: Individual VNF performance - aspects (e.g., move duration or disruption scope) may require further - constraints. -* R-06327 The VNF **MUST** respond to a "drain VNFC" [2]_ command against - a specific VNFC, preventing new session from reaching the targeted VNFC, - with no disruption to active sessions on the impacted VNFC, if a VNF - provides a load balancing function across multiple instances of its VNFCs. - This is used to support scenarios such as proactive maintenance with no - user impact. -* R-64713 The VNF **SHOULD** support a software promotion methodology - from dev/test -> pre-prod -> production in software, development & - testing and operations. - -VNF Develop Steps --------------------------------- - -Aid to help the VNF provider to fasten the integration with the GVNFM, the -ONAP provides the VNF SDK tools, and the documents. In this charter, -the develop steps for VNF providers will be introduced. - -First, using the VNF SDK tools to design the VNF with TOSCA model and -output the VNF TOSCA package. The VNF package can be validated, and -tested. - -Second, the VNF provider should provide the VNF Rest API to integrate with -the GVNFM if needed. The VNF Rest API is aligned to the ETSI IFA -document. - -Third, the TOSCA model supports the HPA feature. - -Note: - -1. The scripts to extend capacity to satisfy some special requirements. - In the R2, the scripts is not implemented fully, and will be provided - in the next release. - -2. The monitoring and scale policy also be provide the next release. - - -.. [1] - Refer to NCSP’s Network Cloud specification - -.. [2] - Not currently supported in ONAP release 1 - diff --git a/docs/Chapter4/Design.rst b/docs/Chapter4/Design.rst new file mode 100644 index 0000000..e9003e6 --- /dev/null +++ b/docs/Chapter4/Design.rst @@ -0,0 +1,82 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2017 AT&T Intellectual Property. All rights reserved. + +VNF Design +---------- + +Services are composed of VNFs and common components and are designed to +be agnostic of the location to leverage capacity where it exists in the +Network Cloud. VNFs can be instantiated in any location that meets the +performance and latency requirements of the service. + +A key design principle for virtualizing services is decomposition of +network functions using NFV concepts into granular VNFs. This enables +instantiating and customizing only essential functions as needed for the +service, thereby making service delivery more nimble. It provides +flexibility of sizing and scaling and also provides flexibility with +packaging and deploying VNFs as needed for the service. It enables +grouping functions in a common cloud data center to minimize +inter-component latency. The VNFs should be designed with a goal of +being modular and reusable to enable using best-in-breed vendors. + +Section 5.a VNF Design in *VNF Guidelines* describes +the overall guidelines for designing VNFs from VNF Components (VNFCs). +Below are more detailed requirements for composing VNFs. + +VNF Design Requirements + +* R-58421 The VNF **SHOULD** be decomposed into granular re-usable VNFCs. +* R-82223 The VNF **MUST** be decomposed if the functions have + significantly different scaling characteristics (e.g., signaling + versus media functions, control versus data plane functions). +* R-16496 The VNF **MUST** enable instantiating only the functionality that + is needed for the decomposed VNF (e.g., if transcoding is not needed it + should not be instantiated). +* R-02360 The VNFC **MUST** be designed as a standalone, executable process. +* R-34484 The VNF **SHOULD** create a single component VNF for VNFCs + that can be used by other VNFs. +* R-23035 The VNF **MUST** be designed to scale horizontally (more + instances of a VNF or VNFC) and not vertically (moving the existing + instances to larger VMs or increasing the resources within a VM) + to achieve effective utilization of cloud resources. +* R-30650 The VNF **MUST** utilize cloud provided infrastructure and + VNFs (e.g., virtualized Local Load Balancer) as part of the VNF so + that the cloud can manage and provide a consistent service resiliency + and methods across all VNF's. +* R-12709 The VNFC **SHOULD** be independently deployed, configured, + upgraded, scaled, monitored, and administered by ONAP. +* R-37692 The VNFC **MUST** provide API versioning to allow for + independent upgrades of VNFC. +* R-86585 The VNFC **SHOULD** minimize the use of state within + a VNFC to facilitate the movement of traffic from one instance + to another. +* R-65134 The VNF **SHOULD** maintain state in a geographically + redundant datastore that may, in fact, be its own VNFC. +* R-75850 The VNF **SHOULD** decouple persistent data from the VNFC + and keep it in its own datastore that can be reached by all instances + of the VNFC requiring the data. +* R-88199 The VNF **MUST** utilize a persistent datastore service that + can meet the data performance/latency requirements. (For example: + Datastore service could be a VNFC in VNF or a DBaaS in the Cloud + execution environment) +* R-99656 The VNF **MUST** NOT terminate stable sessions if a VNFC + instance fails. +* R-84473 The VNF **MUST** enable DPDK in the guest OS for VNF’s requiring + high packets/sec performance. High packet throughput is defined as greater + than 500K packets/sec. +* R-54430 The VNF **MUST** use the NCSP’s supported library and compute + flavor that supports DPDK to optimize network efficiency if using DPDK. [1]_ +* R-18864 The VNF **MUST** NOT use technologies that bypass virtualization + layers (such as SR-IOV) unless approved by the NCSP (e.g., if necessary + to meet functional or performance requirements). +* R-64768 The VNF **MUST** limit the size of application data packets + to no larger than 9000 bytes for SDN network-based tunneling when + guest data packets are transported between tunnel endpoints that + support guest logical networks. +* R-74481 The VNF **MUST** NOT require the use of a dynamic routing + protocol unless necessary to meet functional requirements. + + +.. [1] + Refer to NCSP’s Network Cloud specification diff --git a/docs/Chapter4/Develop-Steps.rst b/docs/Chapter4/Develop-Steps.rst new file mode 100644 index 0000000..30fe07e --- /dev/null +++ b/docs/Chapter4/Develop-Steps.rst @@ -0,0 +1,29 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2017 AT&T Intellectual Property. All rights reserved. + + +VNF Develop Steps +----------------- + +Aid to help the VNF provider to fasten the integration with the GVNFM, the +ONAP provides the VNF SDK tools, and the documents. In this charter, +the develop steps for VNF providers will be introduced. + +First, using the VNF SDK tools to design the VNF with TOSCA model and +output the VNF TOSCA package. The VNF package can be validated, and +tested. + +Second, the VNF provider should provide the VNF Rest API to integrate with +the GVNFM if needed. The VNF Rest API is aligned to the ETSI IFA +document. + +Third, the TOSCA model supports the HPA feature. + +Note: + +1. The scripts to extend capacity to satisfy some special requirements. + In the R2, the scripts is not implemented fully, and will be provided + in the next release. + +2. The monitoring and scale policy also be provide the next release. diff --git a/docs/Chapter4/Devops.rst b/docs/Chapter4/Devops.rst new file mode 100644 index 0000000..702db95 --- /dev/null +++ b/docs/Chapter4/Devops.rst @@ -0,0 +1,74 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2017 AT&T Intellectual Property. All rights reserved. + +VNF Devops +--------------------- + +This section includes guidelines for VNF providers to ensure that a Network +Cloud Service Provider’s operations personnel have a common and +consistent way to support VNFs and VNFCs. + +NCSPs may elect to support standard images to enable compliance with +security, audit, regulatory and other needs. As part of the overall VNF +software bundle, VNF suppliers using standard images would typically +provide the NCSP with an install package consistent with the default OS +package manager (e.g. aptitude for Ubuntu, yum for Redhat/CentOS). + +Section 5.a DevOps in *VNF Guidelines* describes +the DevOps guidelines for VNFs. + +DevOps Requirements + +* R-46960 NCSPs **MAY** operate a limited set of Guest OS and CPU + architectures and families, virtual machines, etc. +* R-23475 VNFCs **SHOULD** be agnostic to the details of the Network Cloud + (such as hardware, host OS, Hypervisor or container technology) and must run + on the Network Cloud with acknowledgement to the paradigm that the Network + Cloud will continue to rapidly evolve and the underlying components of + the platform will change regularly. +* R-33846 The VNF **MUST** install the NCSP required software on Guest OS + images when not using the NCSP provided Guest OS images. [1]_ +* R-09467 The VNF **MUST** utilize only NCSP standard compute flavors. [1]_ +* R-02997 The VNF **MUST** preserve their persistent data. Running VMs + will not be backed up in the Network Cloud infrastructure. +* R-29760 The VNFC **MUST** be installed on non-root file systems, + unless software is specifically included with the operating system + distribution of the guest image. +* R-20860 The VNF **MUST** be agnostic to the underlying infrastructure + (such as hardware, host OS, Hypervisor), any requirements should be + provided as specification to be fulfilled by any hardware. +* R-89800 The VNF **MUST NOT** require Hypervisor-level customization + from the cloud provider. +* R-86758 The VNF **SHOULD** provide an automated test suite to validate + every new version of the software on the target environment(s). The tests + should be of sufficient granularity to independently test various + representative VNF use cases throughout its lifecycle. Operations might + choose to invoke these tests either on a scheduled basis or on demand to + support various operations functions including test, turn-up and + troubleshooting. +* R-39650 The VNF **SHOULD** provide the ability to test incremental + growth of the VNF. +* R-14853 The VNF **MUST** respond to a "move traffic" [2]_ command + against a specific VNFC, moving all existing session elsewhere with + minimal disruption if a VNF provides a load balancing function across + multiple instances of its VNFCs. Note: Individual VNF performance + aspects (e.g., move duration or disruption scope) may require further + constraints. +* R-06327 The VNF **MUST** respond to a "drain VNFC" [2]_ command against + a specific VNFC, preventing new session from reaching the targeted VNFC, + with no disruption to active sessions on the impacted VNFC, if a VNF + provides a load balancing function across multiple instances of its VNFCs. + This is used to support scenarios such as proactive maintenance with no + user impact. +* R-64713 The VNF **SHOULD** support a software promotion methodology + from dev/test -> pre-prod -> production in software, development & + testing and operations. + + +.. [1] + Refer to NCSP’s Network Cloud specification + +.. [2] + Not currently supported in ONAP release 1 + diff --git a/docs/Chapter4/Modularity.rst b/docs/Chapter4/Modularity.rst new file mode 100644 index 0000000..12024bd --- /dev/null +++ b/docs/Chapter4/Modularity.rst @@ -0,0 +1,352 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2017 AT&T Intellectual Property. All rights reserved. + + +VNF Modularity +-------------- + +ONAP Heat Orchestration Templates: Overview +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +ONAP supports a modular Heat Orchestration Template design pattern, +referred to as *VNF Modularity.* + +ONAP VNF Modularity Overview +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +With VNF Modularity, a single VNF may be composed from one or more Heat +Orchestration Templates, each of which represents a subset of the +overall VNF. These component parts are referred to as “\ *VNF +Modules*\ ”. During orchestration, these modules are deployed +incrementally to create the complete VNF. + +A modular Heat Orchestration Template can be either one of the following +types: + +1. Base Module + +2. Incremental Module + +3. Cinder Volume Module + +* R-37028 The VNF **MUST** be composed of one “base” module. +* R-41215 The VNF **MAY** have zero to many “incremental” modules. +* R-20974 The VNF **MUST** deploy the base module first, prior to + the incremental modules. + +ONAP also supports the concept of an optional, independently deployed +Cinder volume via a separate Heat Orchestration Templates, referred to +as a Cinder Volume Module. This allows the volume to persist after a +Virtual Machine (VM) (i.e., OS::Nova::Server) is deleted, allowing the +volume to be reused on another instance (e.g., during a failover +activity). + +* R-11200 The VNF **MUST** keep the scope of a Cinder volume module, + when it exists, to be 1:1 with the VNF Base Module or Incremental Module. + +* R-38474 The VNF **MUST** have a corresponding environment file for + a Base Module. +* R-81725 The VNF **MUST** have a corresponding environment file for + an Incremental Module. +* R-53433 The VNF **MUST** have a corresponding environment file for + a Cinder Volume Module. + +These concepts will be described in more detail throughout the document. +This overview is provided to set the stage and help clarify the concepts +that will be introduced. + + +ONAP VNF Modularity +^^^^^^^^^^^^^^^^^^^^^^ + +ONAP supports a modular Heat Orchestration Template design pattern, +referred to as *VNF Modularity.* With this approach, a single VNF may be +composed from one or more Heat Orchestration Templates, each of which +represents a subset of the overall VNF. These component parts are +referred to as “\ *VNF Modules*\ ”. During orchestration, these modules +are deployed incrementally to create the complete VNF. + +A modular Heat Orchestration Template can be either one of the following +types: + +1. Base Module + +2. Incremental Module + +3. Cinder Volume Module + +A VNF must be composed of one “base” module and may be composed of zero +to many “incremental” modules. The base module must be deployed first, +prior to the incremental modules. + +ONAP also supports the concept of an optional, independently deployed +Cinder volume via a separate Heat Orchestration Templates, referred to +as a Cinder Volume Module. This allows the volume to persist after a VM +(i.e., OS::Nova::Server) is deleted, allowing the volume to be reused on +another instance (e.g., during a failover activity). + +The scope of a Cinder volume module, when it exists, must be 1:1 with a +Base module or Incremental Module. + +A Base Module must have a corresponding environment file. + +An Incremental Module must have a corresponding environment file. + +A Cinder Volume Module must have a corresponding environment file. + +A VNF module (base, incremental, cinder) may support nested templates. + +A shared Heat Orchestration Template resource must be defined in the +base module. A shared resource is a resource that that will be +referenced by another resource that is defined in the Base Module and/or +one or more incremental modules. + +When the shared resource needs to be referenced by a resource in an +incremental module, the UUID of the shared resource must be exposed by +declaring an ONAP Base Module Output Parameter. + +Note that a Cinder volume is *not* a shared resource. A volume template +must correspond 1:1 with a base module or incremental module. + +An example of a shared resource is the resource +OS::Neutron::SecurityGroup. Security groups are sets of IP filter rules +that are applied to a VNF’s networking. The resource OS::Neutron::Port +has a property security\_groups which provides the security groups +associated with port. The value of parameter(s) associated with this +property must be the UUIDs of the resource(s) +OS::Neutron::SecurityGroup. + +*Note:* A Cinder volume is *not* considered a shared resource. A volume +template must correspond 1:1 with a base template or add-on module +template. + +Suggested Patterns for Modular VNFs +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +There are numerous variations of VNF modularity. Below are two suggested +usage patterns. + +**Option 1: Modules per VNFC type** + +a. Base module contains only the shared resources. + +b. Group all VMs (e.g., VNFCs) of a given type (i.e. {vm-type}) into its + own incremental module. That is, the VNF has an incremental module + for each {vm-type}. + +c. For a given {vm-type} incremental module, the VNF may have + + i. One incremental module used for both initial turn up and re-used + for scaling. This approach is used when the number of VMs + instantiated will be the same for initial deployment and scaling. + + ii. Two incremental modules, where one is used for initial turn up + and one is used for scaling. This approach is used when the + number of VMs instantiated will be different for initial + deployment and scaling. + +**Option 2: Base VNF with Incremental Growth Modules** + +a. Base module contains a complete initial VNF instance + +b. Incremental modules for incremental scaling units + + i. May contain VMs of multiple types in logical scaling combinations + + ii. May be separated by VM type for multi-dimensional scaling + +With no growth units, Option 2 is equivalent to the “One Heat Template +per VNF” model. + +Note that modularization of VNFs is not required. A single Heat +Orchestration Template (a base module) may still define a complete VNF, +which might be appropriate for smaller VNFs that do not have any scaling +options. + +Modularity Rules +^^^^^^^^^^^^^^^^^^^ + +There are some rules to follow when building modular VNF templates: + +1. All VNFs must have one Base VNF Module (template) that must be the + first one deployed. The base template: + + a. Must include all shared resources (e.g., private networks, server + groups, security groups) + + b. Must expose all shared resources (by UUID) as “outputs” in its + associated Heat template (i.e., ONAP Base Module Output + Parameters) + + c. May include initial set of VMs + + d. May be operational as a stand-alone “minimum” configuration of the + VNF + +2. VNFs may have one or more incremental modules which: + + a. Defines additional resources that can be added to an existing VNF + + b. Must be complete Heat templates + + i. i.e. not snippets to be incorporated into some larger template + + c. Should define logical growth-units or sub-components of an overall + VNF + + d. On creation, receives appropriate Base Module outputs as + parameters + + i. Provides access to all shared resources (by UUID) + + ii. must not be dependent on other Add-On VNF Modules + + e. Multiple instances of an incremental Module may be added to the + same VNF (e.g., incrementally grow a VNF by a fixed “add-on” + growth units) + +3. Each VNF Module (base or incremental) may have (optional) an + associated Cinder Volume Module (see Cinder Volume Templates) + + a. Volume modules must correspond 1:1 with a base module or + incremental module + + b. A Cinder volume may be embedded within the base module or + incremental module if persistence is not required + +4. Shared resource UUIDs are passed between the base module and + incremental modules via Heat Outputs Parameters (i.e., Base Module + Output Parameters) + + a. The output parameter name in the base must match the parameter + name in the add-on module + +VNF Modularity Examples +^^^^^^^^^^^^^^^^^^^^^^^ + +*Example: Base Module creates SecurityGroup* + +A VNF has a base module, named base.yaml, that defines a +OS::Neutron::SecurityGroup. The security group will be referenced by an +OS::Neutron::Port resource in an incremental module, named +INCREMENTAL\_MODULE.yaml. The base module defines a parameter in the out +section named dns\_sec\_grp\_id. dns\_sec\_grp\_id is defined as a +parameter in the incremental module. ONAP captures the UUID value of +dns\_sec\_grp\_id from the base module output statement and provides the +value to the incremental module. + +Note that the example below is not a complete Heat Orchestration +Template. The {network-role} has been defined as oam to represent an oam +network and the {vm-type} has been defined as dns. + +base\_MODULE.yaml + +.. code-block:: yaml + + parameters: + . . . + + resources: + DNS_SECURITY_GROUP: + type: OS::Neutron::SecurityGroup + properties: + description: vDNS security group + name: + str_replace: + template: VNF_NAME_sec_grp_DNS + params: + VMF_NAME: {get_param: vnf_name} + rules: [. . . . . + + . . . + + outputs: + dns_sec_grp_id: + description: UUID of DNS Resource SecurityGroup + value: { get_resource: DNS_SECURITY_GROUP } + + +INCREMENTAL\_MODULE.yaml + +.. code-block:: yaml + + parameters: + dns_sec_grp_id: + type: string + description: security group UUID + . . . + + resources: + dns_oam_0_port: + type: OS::Neutron::Port + properties: + name: + str_replace: + template: VNF_NAME_dns_oam_port + params: + VNF_NAME: {get_param: vnf_name} + network: { get_param: oam_net_name } + fixed_ips: [{ "ip_address": { get_param: dns_oam_ip_0 }}] + security_groups: [{ get_param: dns_sec_grp_id }] + + +*Examples: Base Module creates an internal network* + +A VNF has a base module, named base\_module.yaml, that creates an +internal network. An incremental module, named incremental\_module.yaml, +will create a VM that will connect to the internal network. The base +module defines a parameter in the out section named int\_oam\_net\_id. +int\_oam\_net\_id is defined as a parameter in the incremental module. +ONAP captures the UUID value of int\_oam\_net\_id from the base module +output statement and provides the value to the incremental module. + +Note that the example below is not a complete Heat Orchestration +Template. The {network-role} has been defined as oam to represent an oam +network and the {vm-type} has been defined as lb for load balancer. + +base.yaml + +.. code-block:: yaml + + heat_template_version: 2013-05-23 + + resources: + int_oam_network: + type: OS::Neutron::Network + properties: + name: {… } + . . . + outputs: + int_oam_net_id: + value: {get_resource: int_oam_network } + + +incremental.yaml + +.. code-block:: yaml + + heat_template_version: 2013-05-23 + + parameters: + int_oam_net_id: + type: string + description: ID of shared private network from Base template + lb_name_0: + type: string + description: name for the add-on VM instance + + Resources: + lb_server: + type: OS::Nova::Server + properties: + name: {get_param: lb_name_0} + networks: + - port: { get_resource: lb_port } + . . . + + lb_port: + type: OS::Neutron::Port + properties: + network_id: { get_param: int_oam_net_id } + ... diff --git a/docs/Chapter4/Resiliency.rst b/docs/Chapter4/Resiliency.rst new file mode 100644 index 0000000..bf3e2e8 --- /dev/null +++ b/docs/Chapter4/Resiliency.rst @@ -0,0 +1,301 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2017 AT&T Intellectual Property. All rights reserved. + +VNF Resiliency +------------------------- + +The VNF is responsible for meeting its resiliency goals and must factor +in expected availability of the targeted virtualization environment. +This is likely to be much lower than found in a traditional data center. +Resiliency is defined as the ability of the VNF to respond to error +conditions and continue to provide the service intended. A number of +software resiliency dimensions have been identified as areas that should +be addressed to increase resiliency. As VNFs are deployed into the +Network Cloud, resiliency must be designed into the VNF software to +provide high availability versus relying on the Network Cloud to achieve +that end. + +Section 5.a Resiliency in *VNF Guidelines* describes +the overall guidelines for designing VNFs to meet resiliency goals. +Below are more detailed resiliency requirements for VNFs. + +All Layer Redundancy +^^^^^^^^^^^^^^^^^^^^^^ + +Design the VNF to be resilient to the failures of the underlying +virtualized infrastructure (Network Cloud). VNF design considerations +would include techniques such as multiple vLANs, multiple local and +geographic instances, multiple local and geographic data replication, +and virtualized services such as Load Balancers. + + +All Layer Redundancy Requirements + +* R-52499 The VNF **MUST** meet their own resiliency goals and not rely + on the Network Cloud. +* R-42207 The VNF **MUST** design resiliency into a VNF such that the + resiliency deployment model (e.g., active-active) can be chosen at + run-time. +* R-03954 The VNF **MUST** survive any single points of failure within + the Network Cloud (e.g., virtual NIC, VM, disk failure). +* R-89010 The VNF **MUST** survive any single points of software failure + internal to the VNF (e.g., in memory structures, JMS message queues). +* R-67709 The VNF **MUST** be designed, built and packaged to enable + deployment across multiple fault zones (e.g., VNFCs deployed in + different servers, racks, OpenStack regions, geographies) so that + in the event of a planned/unplanned downtime of a fault zone, the + overall operation/throughput of the VNF is maintained. +* R-35291 The VNF **MUST** support the ability to failover a VNFC + automatically to other geographically redundant sites if not + deployed active-active to increase the overall resiliency of the VNF. +* R-36843 The VNF **MUST** support the ability of the VNFC to be deployable + in multi-zoned cloud sites to allow for site support in the event of cloud + zone failure or upgrades. +* R-00098 The VNF **MUST NOT** impact the ability of the VNF to provide + service/function due to a single container restart. +* R-79952 The VNF **SHOULD** support container snapshots if not for rebuild + and evacuate for rollback or back out mechanism. + +Minimize Cross Data-Center Traffic +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Avoid performance-sapping data center-to-data center replication delay +by applying techniques such as caching and persistent transaction paths +- Eliminate replication delay impact between data centers by using a +concept of stickiness (i.e., once a client is routed to data center "A", +the client will stay with Data center “A” until the entire session is +completed). + +Minimize Cross Data-Center Traffic Requirements + +* R-92935 The VNF **SHOULD** minimize the propagation of state information + across multiple data centers to avoid cross data center traffic. + +Application Resilient Error Handling +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Ensure an application communicating with a downstream peer is equipped +to intelligently handle all error conditions. Make sure code can handle +exceptions seamlessly - implement smart retry logic and implement +multi-point entry (multiple data centers) for back-end system +applications. + +Application Resilient Error Handling Requirements + +* R-26371 The VNF **MUST** detect communication failure for inter VNFC + instance and intra/inter VNF and re-establish communication + automatically to maintain the VNF without manual intervention to + provide service continuity. +* R-18725 The VNF **MUST** handle the restart of a single VNFC instance + without requiring all VNFC instances to be restarted. +* R-06668 The VNF **MUST** handle the start or restart of VNFC instances + in any order with each VNFC instance establishing or re-establishing + required connections or relationships with other VNFC instances and/or + VNFs required to perform the VNF function/role without requiring VNFC + instance(s) to be started/restarted in a particular order. +* R-80070 The VNF **MUST** handle errors and exceptions so that they do + not interrupt processing of incoming VNF requests to maintain service + continuity (where the error is not directly impacting the software + handling the incoming request). +* R-32695 The VNF **MUST** provide the ability to modify the number of + retries, the time between retries and the behavior/action taken after + the retries have been exhausted for exception handling to allow the + NCSP to control that behavior, where the interface and/or functional + specification allows for altering behaviour. +* R-48356 The VNF **MUST** fully exploit exception handling to the extent + that resources (e.g., threads and memory) are released when no longer + needed regardless of programming language. +* R-67918 The VNF **MUST** handle replication race conditions both locally + and geo-located in the event of a data base instance failure to maintain + service continuity. +* R-36792 The VNF **MUST** automatically retry/resubmit failed requests + made by the software to its downstream system to increase the success rate. +* R-70013 The VNF **MUST NOT** require any manual steps to get it ready for + service after a container rebuild. +* R-65515 The VNF **MUST** provide a mechanism and tool to start VNF + containers (VMs) without impacting service or service quality assuming + another VNF in same or other geographical location is processing service + requests. +* R-94978 The VNF **MUST** provide a mechanism and tool to perform a graceful + shutdown of all the containers (VMs) in the VNF without impacting service + or service quality assuming another VNF in same or other geographical + location can take over traffic and process service requests. + + +System Resource Optimization +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Ensure an application is using appropriate system resources for the task +at hand; for example, do not use network or IO operations inside +critical sections, which could end up blocking other threads or +processes or eating memory if they are unable to complete. Critical +sections should only contain memory operation, and should not contain +any network or IO operation. + + +System Resource Optimization Requirements + +* R-22059 The VNF **MUST NOT** execute long running tasks (e.g., IO, + database, network operations, service calls) in a critical section + of code, so as to minimize blocking of other operations and increase + concurrent throughput. +* R-63473 The VNF **MUST** automatically advertise newly scaled + components so there is no manual intervention required. +* R-74712 The VNF **MUST** utilize FQDNs (and not IP address) for + both Service Chaining and scaling. +* R-41159 The VNF **MUST** deliver any and all functionality from any + VNFC in the pool (where pooling is the most suitable solution). The + VNFC pool member should be transparent to the client. Upstream and + downstream clients should only recognize the function being performed, + not the member performing it. +* R-85959 The VNF **SHOULD** automatically enable/disable added/removed + sub-components or component so there is no manual intervention required. +* R-06885 The VNF **SHOULD** support the ability to scale down a VNFC pool + without jeopardizing active sessions. Ideally, an active session should + not be tied to any particular VNFC instance. +* R-12538 The VNF **SHOULD** support load balancing and discovery + mechanisms in resource pools containing VNFC instances. +* R-98989 The VNF **SHOULD** utilize resource pooling (threads, + connections, etc.) within the VNF application so that resources + are not being created and destroyed resulting in resource management + overhead. +* R-55345 The VNF **SHOULD** use techniques such as “lazy loading” when + initialization includes loading catalogues and/or lists which can grow + over time, so that the VNF startup time does not grow at a rate + proportional to that of the list. +* R-35532 The VNF **SHOULD** release and clear all shared assets (memory, + database operations, connections, locks, etc.) as soon as possible, + especially before long running sync and asynchronous operations, so as + to not prevent use of these assets by other entities. + + +Application Configuration Management +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Leverage configuration management audit capability to drive conformity +to develop gold configurations for technologies like Java, Python, etc. + +Application Configuration Management Requirements + +* R-77334 The VNF **MUST** allow configurations and configuration parameters + to be managed under version control to ensure consistent configuration + deployment, traceability and rollback. +* R-99766 The VNF **MUST** allow configurations and configuration parameters + to be managed under version control to ensure the ability to rollback to + a known valid configuration. +* R-73583 The VNF **MUST** allow changes of configuration parameters + to be consumed by the VNF without requiring the VNF or its sub-components + to be bounced so that the VNF availability is not effected. + + +Intelligent Transaction Distribution & Management +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Leverage Intelligent Load Balancing and redundant components (hardware +and modules) for all transactions, such that at any point in the +transaction: front end, middleware, back end -- a failure in any one +component does not result in a failure of the application or system; +i.e., transactions will continue to flow, albeit at a possibly reduced +capacity until the failed component restores itself. Create redundancy +in all layers (software and hardware) at local and remote data centers; +minimizing interdependencies of components (i.e. data replication, +deploying non-related elements in the same container). + +Intelligent Transaction Distribution & Management Requirements + +* R-21558 The VNF **SHOULD** use intelligent routing by having knowledge + of multiple downstream/upstream endpoints that are exposed to it, to + ensure there is no dependency on external services (such as load balancers) + to switch to alternate endpoints. +* R-08315 The VNF **SHOULD** use redundant connection pooling to connect + to any backend data source that can be switched between pools in an + automated/scripted fashion to ensure high availability of the connection + to the data source. +* R-27995 The VNF **SHOULD** include control loop mechanisms to notify + the consumer of the VNF of their exceeding SLA thresholds so the consumer + is able to control its load against the VNF. + +Deployment Optimization +^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Reduce opportunity for failure, by human or by machine, through smarter +deployment practices and automation. This can include rolling code +deployments, additional testing strategies, and smarter deployment +automation (remove the human from the mix). + +Deployment Optimization Requirements + +* R-73364 The VNF **MUST** support at least two major versions of the + VNF software and/or sub-components to co-exist within production + environments at any time so that upgrades can be applied across + multiple systems in a staggered manner. +* R-02454 The VNF **MUST** support the existence of multiple major/minor + versions of the VNF software and/or sub-components and interfaces that + support both forward and backward compatibility to be transparent to + the Service Provider usage. +* R-57855 The VNF **MUST** support hitless staggered/rolling deployments + between its redundant instances to allow "soak-time/burn in/slow roll" + which can enable the support of low traffic loads to validate the + deployment prior to supporting full traffic loads. +* R-64445 The VNF **MUST** support the ability of a requestor of the + service to determine the version (and therefore capabilities) of the + service so that Network Cloud Service Provider can understand the + capabilities of the service. +* R-56793 The VNF **MUST** test for adherence to the defined performance + budgets at each layer, during each delivery cycle with delivered + results, so that the performance budget is measured and the code + is adjusted to meet performance budget. +* R-77667 The VNF **MUST** test for adherence to the defined performance + budget at each layer, during each delivery cycle so that the performance + budget is measured and feedback is provided where the performance budget + is not met. +* R-49308 The VNF **SHOULD** test for adherence to the defined resiliency + rating recommendation at each layer, during each delivery cycle with + delivered results, so that the resiliency rating is measured and the + code is adjusted to meet software resiliency requirements. +* R-16039 The VNF **SHOULD** test for adherence to the defined + resiliency rating recommendation at each layer, during each + delivery cycle so that the resiliency rating is measured and + feedback is provided where software resiliency requirements are + not met. + +Monitoring & Dashboard +^^^^^^^^^^^^^^^^^^^^^^^^^ + +Promote dashboarding as a tool to monitor and support the general +operational health of a system. It is critical to the support of the +implementation of many resiliency patterns essential to the maintenance +of the system. It can help identify unusual conditions that might +indicate failure or the potential for failure. This would contribute to +improve Mean Time to Identify (MTTI), Mean Time to Repair (MTTR), and +post-incident diagnostics. + +Monitoring & Dashboard Requirements + +* R-34957 The VNF **MUST** provide a method of metrics gathering for each + layer's performance to identify/document variances in the allocations so + they can be addressed. +* R-49224 The VNF **MUST** provide unique traceability of a transaction + through its life cycle to ensure quick and efficient troubleshooting. +* R-52870 The VNF **MUST** provide a method of metrics gathering + and analysis to evaluate the resiliency of the software from both + a granular as well as a holistic standpoint. This includes, but is + not limited to thread utilization, errors, timeouts, and retries. +* R-92571 The VNF **MUST** provide operational instrumentation such as + logging, so as to facilitate quick resolution of issues with the VNF to + provide service continuity. +* R-48917 The VNF **MUST** monitor for and alert on (both sender and + receiver) errant, running longer than expected and missing file transfers, + so as to minimize the impact due to file transfer errors. +* R-28168 The VNF **SHOULD** use an appropriately configured logging + level that can be changed dynamically, so as to not cause performance + degradation of the VNF due to excessive logging. +* R-87352 The VNF **SHOULD** utilize Cloud health checks, when available + from the Network Cloud, from inside the application through APIs to check + the network connectivity, dropped packets rate, injection, and auto failover + to alternate sites if needed. +* R-16560 The VNF **SHOULD** conduct a resiliency impact assessment for all + inter/intra-connectivity points in the VNF to provide an overall resiliency + rating for the VNF to be incorporated into the software design and + development of the VNF. diff --git a/docs/Chapter4/Security.rst b/docs/Chapter4/Security.rst new file mode 100644 index 0000000..a0691ae --- /dev/null +++ b/docs/Chapter4/Security.rst @@ -0,0 +1,563 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2017 AT&T Intellectual Property. All rights reserved. + +VNF Security +---------------------- + +The objective of this section is to provide the key security +requirements that need to be met by VNFs. The security requirements are +grouped into five areas as listed below. Other security areas will be +addressed in future updates. These security requirements are applicable +to all VNFs. Additional security requirements for specific types of VNFs +will be applicable and are outside the scope of these general +requirements. + +Section 5.a Security in *VNF Guidelines* outlines +the five broad security areas for VNFs that are detailed in the +following sections: + +- **VNF General Security**: This section addresses general security + requirements for the VNFs that the VNF provider will need to address. + +- **VNF Identity and Access Management**: This section addresses + security requirements with respect to Identity and Access Management + as these pertain to generic VNFs. + +- **VNF API Security**: This section addresses the generic security + requirements associated with APIs. These requirements are applicable + to those VNFs that use standard APIs for communication and data + exchange. + +- **VNF Security Analytics**: This section addresses the security + requirements associated with analytics for VNFs that deal with + monitoring, data collection and analysis. + +- **VNF Data Protection**: This section addresses the security + requirements associated with data protection. + +VNF General Security Requirements +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This section provides details on the VNF general security requirements +on various security areas such as user access control, network security, +ACLs, infrastructure security, and vulnerability management. These +requirements cover topics associated with compliance, security patching, +logging/accounting, authentication, encryption, role-based access +control, least privilege access/authorization. The following security +requirements need to be met by the solution in a virtual environment: + +General Security Requirements + +Integration and operation within a robust security environment is necessary +and expected. The security architecture will include one or more of the +following: IDAM (Identity and Access Management) for all system and +applications access, Code scanning, network vulnerability scans, OS, +Database and application patching, malware detection and cleaning, +DDOS prevention, network security gateways (internal and external) +operating at various layers, host and application based tools for +security compliance validation, aggressive security patch application, +tightly controlled software distribution and change control processes +and other state of the art security solutions. The VNF is expected to +function reliably within such an environment and the developer is +expected to understand and accommodate such controls and can expected +to supply responsive interoperability support and testing throughout +the product’s lifecycle. + +* R-23740 The VNF **MUST** accommodate the security principle of + “least privilege” during development, implementation and operation. + The importance of “least privilege” cannot be overstated and must be + observed in all aspects of VNF development and not limited to security. + This is applicable to all sections of this document. +* R-61354 The VNF **MUST** implement access control list for OA&M + services (e.g., restricting access to certain ports or applications). +* R-85633 The VNF **MUST** implement Data Storage Encryption + (database/disk encryption) for Sensitive Personal Information (SPI) + and other subscriber identifiable data. Note: subscriber’s SPI/data + must be encrypted at rest, and other subscriber identifiable data + should be encrypted at rest. Other data protection requirements exist + and should be well understood by the developer. +* R-92207 The VNF **SHOULD** implement a mechanism for automated and + frequent "system configuration (automated provisioning / closed loop)" + auditing. +* R-23882 The VNF **SHOULD** be scanned using both network scanning + and application scanning security tools on all code, including underlying + OS and related configuration. Scan reports shall be provided. Remediation + roadmaps shall be made available for any findings. +* R-46986 The VNF **SHOULD** have source code scanned using scanning + tools (e.g., Fortify) and provide reports. +* R-55830 The VNF **MUST** distribute all production code from NCSP + internal sources only. No production code, libraries, OS images, etc. + shall be distributed from publically accessible depots. +* R-99771 The VNF **MUST** provide all code/configuration files in a + "Locked down" or hardened state or with documented recommendations for + such hardening. All unnecessary services will be disabled. VNF provider + default credentials, community strings and other such artifacts will be + removed or disclosed so that they can be modified or removed during + provisioning. +* R-19768 The VNF **SHOULD** support L3 VPNs that enable segregation of + traffic by application (dropping packets not belonging to the VPN) (i.e., + AVPN, IPSec VPN for Internet routes). +* R-33981 The VNF **SHOULD** interoperate with various access control + mechanisms for the Network Cloud execution environment (e.g., + Hypervisors, containers). +* R-40813 The VNF **SHOULD** support the use of virtual trusted platform + module, hypervisor security testing and standards scanning tools. +* R-56904 The VNF **MUST** interoperate with the ONAP (SDN) Controller so that + it can dynamically modify the firewall rules, ACL rules, QoS rules, virtual + routing and forwarding rules. +* R-26586 The VNF **SHOULD** support the ability to work with aliases + (e.g., gateways, proxies) to protect and encapsulate resources. +* R-49956 The VNF **MUST** pass all access to applications (Bearer, + signaling and OA&M) through various security tools and platforms from + ACLs, stateful firewalls and application layer gateways depending on + manner of deployment. The application is expected to function (and in + some cases, interwork) with these security tools. +* R-69649 The VNF **MUST** have all vulnerabilities patched as soon + as possible. Patching shall be controlled via change control process + with vulnerabilities disclosed along with mitigation recommendations. +* R-78010 The VNF **MUST** use the NCSP’s IDAM API for Identification, + authentication and access control of customer or VNF application users. +* R-42681 The VNF **MUST** use the NCSP’s IDAM API or comply with + the requirements if not using the NCSP’s IDAM API, for identification, + authentication and access control of OA&M and other system level + functions. +* R-68589 The VNF **MUST**, if not using the NCSP’s IDAM API, support + User-IDs and passwords to uniquely identify the user/application. VNF + needs to have appropriate connectors to the Identity, Authentication + and Authorization systems that enables access at OS, Database and + Application levels as appropriate. +* R-52085 The VNF **MUST**, if not using the NCSP’s IDAM API, provide + the ability to support Multi-Factor Authentication (e.g., 1st factor = + Software token on device (RSA SecureID); 2nd factor = User Name+Password, + etc.) for the users. +* R-98391 The VNF **MUST**, if not using the NCSP’s IDAM API, support + Role-Based Access Control to permit/limit the user/application to + performing specific activities. +* R-63217 The VNF **MUST**, if not using the NCSP’s IDAM API, support + logging via ONAP for a historical view of “who did what and when”. +* R-62498 The VNF **MUST**, if not using the NCSP’s IDAM API, encrypt + OA&M access (e.g., SSH, SFTP). +* R-79107 The VNF **MUST**, if not using the NCSP’s IDAM API, enforce + a configurable maximum number of Login attempts policy for the users. + VNF provider must comply with "terminate idle sessions" policy. + Interactive sessions must be terminated, or a secure, locking screensaver + must be activated requiring authentication, after a configurable period + of inactivity. The system-based inactivity timeout for the enterprise + identity and access management system must also be configurable. +* R-35144 The VNF **MUST**, if not using the NCSP’s IDAM API, comply + with the NCSP’s credential management policy. +* R-75041 The VNF **MUST**, if not using the NCSP’s IDAM API, expire + passwords at regular configurable intervals. +* R-46908 The VNF **MUST**, if not using the NCSP’s IDAM API, comply + with "password complexity" policy. When passwords are used, they shall + be complex and shall at least meet the following password construction + requirements: (1) be a minimum configurable number of characters in + length, (2) include 3 of the 4 following types of characters: + upper-case alphabetic, lower-case alphabetic, numeric, and special, + (3) not be the same as the UserID with which they are associated or + other common strings as specified by the environment, (4) not contain + repeating or sequential characters or numbers, (5) not to use special + characters that may have command functions, and (6) new passwords must + not contain sequences of three or more characters from the previous + password. +* R-39342 The VNF **MUST**, if not using the NCSP’s IDAM API, comply + with "password changes (includes default passwords)" policy. Products + will support password aging, syntax and other credential management + practices on a configurable basis. +* R-40521 The VNF **MUST**, if not using the NCSP’s IDAM API, support + use of common third party authentication and authorization tools such + as TACACS+, RADIUS. +* R-41994 The VNF **MUST**, if not using the NCSP’s IDAM API, comply + with "No Self-Signed Certificates" policy. Self-signed certificates + must be used for encryption only, using specified and approved + encryption protocols such as TLS 1.2 or higher or equivalent security + protocols such as IPSec, AES. +* R-23135 The VNF **MUST**, if not using the NCSP’s IDAM API, + authenticate system to system communications where one system + accesses the resources of another system, and must never conceal + individual accountability. + +VNF Identity and Access Management Requirements +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The following security requirements for logging, identity, and access +management need to be met by the solution in a virtual environment: + + +Identity and Access Management Requirements + +* R-95105 The VNF **MUST** host connectors for access to the application + layer. +* R-45496 The VNF **MUST** host connectors for access to the OS + (Operating System) layer. +* R-05470 The VNF **MUST** host connectors for access to the database layer. +* R-99174 The VNF **MUST** comply with Individual Accountability + (each person must be assigned a unique ID) when persons or non-person + entities access VNFs. +* R-42874 The VNF **MUST** comply with Least Privilege (no more + privilege than required to perform job functions) when persons + or non-person entities access VNFs. +* R-71787 The VNF **MUST** comply with Segregation of Duties (access to a + single layer and no developer may access production without special + oversight) when persons or non-person entities access VNFs. +* R-86261 The VNF **MUST NOT** allow VNF provider access to VNFs remotely. +* R-49945 The VNF **MUST** authorize VNF provider access through a + client application API by the client application owner and the resource + owner of the VNF before provisioning authorization through Role Based + Access Control (RBAC), Attribute Based Access Control (ABAC), or other + policy based mechanism. +* R-31751 The VNF **MUST** subject VNF provider access to privilege + reconciliation tools to prevent access creep and ensure correct + enforcement of access policies. +* R-34552 The VNF **MUST** provide or support the Identity and Access + Management (IDAM) based threat detection data for OWASP Top 10. +* R-29301 The VNF **MUST** provide or support the Identity and Access + Management (IDAM) based threat detection data for Password Attacks. +* R-72243 The VNF **MUST** provide or support the Identity and Access + Management (IDAM) based threat detection data for Phishing / SMishing. +* R-58998 The VNF **MUST** provide or support the Identity and Access + Management (IDAM) based threat detection data for Malware (Key Logger). +* R-14025 The VNF **MUST** provide or support the Identity and Access + Management (IDAM) based threat detection data for Session Hijacking. +* R-31412 The VNF **MUST** provide or support the Identity and Access + Management (IDAM) based threat detection data for XSS / CSRF. +* R-51883 The VNF **MUST** provide or support the Identity and Access + Management (IDAM) based threat detection data for Replay. +* R-44032 The VNF **MUST** provide or support the Identity and Access + Management (IDAM) based threat detection data for Man in the Middle (MITM). +* R-58977 The VNF **MUST** provide or support the Identity and Access + Management (IDAM) based threat detection data for Eavesdropping. +* R-24825 The VNF **MUST** provide Context awareness data (device, + location, time, etc.) and be able to integrate with threat detection system. +* R-59391 The VNF provider **MUST**, where a VNF provider requires + the assumption of permissions, such as root or administrator, first + log in under their individual user login ID then switch to the other + higher level account; or where the individual user login is infeasible, + must login with an account with admin privileges in a way that + uniquely identifies the individual performing the function. +* R-85028 The VNF **MUST** authenticate system to system access and + do not conceal a VNF provider user’s individual accountability for + transactions. +* R-80335 The VNF **MUST** make visible a Warning Notice: A formal + statement of resource intent, i.e., a warning notice, upon initial + access to a VNF provider user who accesses private internal networks + or Company computer resources, e.g., upon initial logon to an internal + web site, system or application which requires authentication. +* R-73541 The VNF **MUST** use access controls for VNFs and their + supporting computing systems at all times to restrict access to + authorized personnel only, e.g., least privilege. These controls + could include the use of system configuration or access control + software. +* R-64503 The VNF **MUST** provide minimum privileges for initial + and default settings for new user accounts. +* R-86835 The VNF **MUST** set the default settings for user access + to sensitive commands and data to deny authorization. +* R-77157 The VNF **MUST** conform to approved request, workflow + authorization, and authorization provisioning requirements when + creating privileged users. +* R-81147 The VNF **MUST** have greater restrictions for access and + execution, such as up to 3 factors of authentication and restricted + authorization, for commands affecting network services, such as + commands relating to VNFs. +* R-49109 The VNF **MUST** encrypt TCP/IP--HTTPS (e.g., TLS v1.2) + transmission of data on internal and external networks. +* R-39562 The VNF **MUST** disable unnecessary or vulnerable cgi-bin programs. +* R-15671 The VNF **MUST NOT** provide public or unrestricted access + to any data without the permission of the data owner. All data + classification and access controls must be followed. +* R-89753 The VNF **MUST NOT** install or use systems, tools or + utilities capable of capturing or logging data that was not created + by them or sent specifically to them in production, without + authorization of the VNF system owner. +* R-19082 The VNF **MUST NOT** run security testing tools and + programs, e.g., password cracker, port scanners, hacking tools + in production, without authorization of the VNF system owner. +* R-19790 The VNF **MUST NOT** include authentication credentials + in security audit logs, even if encrypted. +* R-85419 The VNF **SHOULD** use REST APIs exposed to Client + Applications for the implementation of OAuth 2.0 Authorization + Code Grant and Client Credentials Grant, as the standard interface + for a VNF. +* R-48080 The VNF **SHOULD** support SCEP (Simple Certificate + Enrollment Protocol). + + +VNF API Security Requirements +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This section covers API security requirements when these are used by the +VNFs. Key security areas covered in API security are Access Control, +Authentication, Passwords, PKI Authentication Alarming, Anomaly +Detection, Lawful Intercept, Monitoring and Logging, Input Validation, +Cryptography, Business continuity, Biometric Authentication, +Identification, Confidentiality and Integrity, and Denial of Service. + +The solution in a virtual environment needs to meet the following API +security requirements: + + +API Requirements + +* R-37608 The VNF **MUST** provide a mechanism to restrict access based + on the attributes of the VNF and the attributes of the subject. +* R-43884 The VNF **MUST** integrate with external authentication + and authorization services (e.g., IDAM). +* R-25878 The VNF **MUST** use certificates issued from publicly + recognized Certificate Authorities (CA) for the authentication process + where PKI-based authentication is used. +* R-19804 The VNF **MUST** validate the CA signature on the certificate, + ensure that the date is within the validity period of the certificate, + check the Certificate Revocation List (CRL), and recognize the identity + represented by the certificate where PKI-based authentication is used. +* R-47204 The VNF **MUST** protect the confidentiality and integrity of + data at rest and in transit from unauthorized access and modification. +* R-33488 The VNF **MUST** protect against all denial of service + attacks, both volumetric and non-volumetric, or integrate with external + denial of service protection tools. +* R-21652 The VNF **MUST** implement the following input validation + control: Check the size (length) of all input. Do not permit an amount + of input so great that it would cause the VNF to fail. Where the input + may be a file, the VNF API must enforce a size limit. +* R-54930 The VNF **MUST** implement the following input validation + control: Do not permit input that contains content or characters + inappropriate to the input expected by the design. Inappropriate input, + such as SQL insertions, may cause the system to execute undesirable + and unauthorized transactions against the database or allow other + inappropriate access to the internal network. +* R-21210 The VNF **MUST** implement the following input validation + control: Validate that any input file has a correct and valid + Multipurpose Internet Mail Extensions (MIME) type. Input files + should be tested for spoofed MIME types. +* R-23772 The VNF **MUST** validate input at all layers implementing VNF APIs. +* R-87135 The VNF **MUST** comply with NIST standards and industry + best practices for all implementations of cryptography. +* R-02137 The VNF **MUST** implement all monitoring and logging as + described in the Security Analytics section. +* R-15659 The VNF **MUST** restrict changing the criticality level of + a system security alarm to administrator(s). +* R-19367 The VNF **MUST** monitor API invocation patterns to detect + anomalous access patterns that may represent fraudulent access or + other types of attacks, or integrate with tools that implement anomaly + and abuse detection. +* R-78066 The VNF **MUST** support requests for information from law + enforcement and government agencies. + + +VNF Security Analytics Requirements +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This section covers VNF security analytics requirements that are mostly +applicable to security monitoring. The VNF Security Analytics cover the +collection and analysis of data following key areas of security +monitoring: + +- Anti-virus software + +- Logging + +- Data capture + +- Tasking + +- DPI + +- API based monitoring + +- Detection and notification + +- Resource exhaustion detection + +- Proactive and scalable monitoring + +- Mobility and guest VNF monitoring + +- Closed loop monitoring + +- Interfaces to management and orchestration + +- Malformed packet detections + +- Service chaining + +- Dynamic security control + +- Dynamic load balancing + +- Connection attempts to inactive ports (malicious port scanning) + +The following requirements of security monitoring need to be met by the +solution in a virtual environment. + +Security Analytics Requirements + +* R-48470 The VNF **MUST** support Real-time detection and + notification of security events. +* R-22286 The VNF **MUST** support Integration functionality via + API/Syslog/SNMP to other functional modules in the network (e.g., + PCRF, PCEF) that enable dynamic security control by blocking the + malicious traffic or malicious end users +* R-32636 The VNF **MUST** support API-based monitoring to take care of + the scenarios where the control interfaces are not exposed, or are + optimized and proprietary in nature. +* R-61648 The VNF **MUST** support event logging, formats, and delivery + tools to provide the required degree of event data to ONAP +* R-22367 The VNF **MUST** support detection of malformed packets due to + software misconfiguration or software vulnerability. +* R-31961 The VNF **MUST** support integrated DPI/monitoring functionality + as part of VNFs (e.g., PGW, MME). +* R-20912 The VNF **MUST** support alternative monitoring capabilities + when VNFs do not expose data or control traffic or use proprietary and + optimized protocols for inter VNF communication. +* R-73223 The VNF **MUST** support proactive monitoring to detect and + report the attacks on resources so that the VNFs and associated VMs can + be isolated, such as detection techniques for resource exhaustion, namely + OS resource attacks, CPU attacks, consumption of kernel memory, local + storage attacks. +* R-58370 The VNF **MUST** coexist and operate normally with commercial + anti-virus software which shall produce alarms every time when there is a + security incident. +* R-56920 The VNF **MUST** protect all security audit logs (including + API, OS and application-generated logs), security audit software, data, + and associated documentation from modification, or unauthorized viewing, + by standard OS access control mechanisms, by sending to a remote system, + or by encryption. +* R-54520 The VNF **MUST** log successful and unsuccessful login attempts. +* R-55478 The VNF **MUST** log logoffs. +* R-08598 The VNF **MUST** log successful and unsuccessful changes to + a privilege level. +* R-13344 The VNF **MUST** log starting and stopping of security + logging. +* R-07617 The VNF **MUST** log creating, removing, or changing the + inherent privilege level of users. +* R-94525 The VNF **MUST** log connections to a network listener of the + resource. +* R-31614 The VNF **MUST** log the field “event type” in the security + audit logs. +* R-97445 The VNF **MUST** log the field “date/time” in the security + audit logs. +* R-25547 The VNF **MUST** log the field “protocol” in the security audit logs. +* R-06413 The VNF **MUST** log the field “service or program used for + access” in the security audit logs. +* R-15325 The VNF **MUST** log the field “success/failure” in the + security audit logs. +* R-89474 The VNF **MUST** log the field “Login ID” in the security audit logs. +* R-04982 The VNF **MUST NOT** include an authentication credential, + e.g., password, in the security audit logs, even if encrypted. +* R-63330 The VNF **MUST** detect when the security audit log storage + medium is approaching capacity (configurable) and issue an alarm via + SMS or equivalent as to allow time for proper actions to be taken to + pre-empt loss of audit data. +* R-41252 The VNF **MUST** support the capability of online storage of + security audit logs. +* R-41825 The VNF **MUST** activate security alarms automatically when + the following event is detected: configurable number of consecutive + unsuccessful login attempts +* R-43332 The VNF **MUST** activate security alarms automatically when + the following event is detected: successful modification of critical + system or application files +* R-74958 The VNF **MUST** activate security alarms automatically when + the following event is detected: unsuccessful attempts to gain permissions + or assume the identity of another user +* R-15884 The VNF **MUST** include the field “date” in the Security alarms + (where applicable and technically feasible). +* R-23957 The VNF **MUST** include the field “time” in the Security alarms + (where applicable and technically feasible). +* R-71842 The VNF **MUST** include the field “service or program used for + access” in the Security alarms (where applicable and technically feasible). +* R-57617 The VNF **MUST** include the field “success/failure” in the + Security alarms (where applicable and technically feasible). +* R-99730 The VNF **MUST** include the field “Login ID” in the Security + alarms (where applicable and technically feasible). +* R-29705 The VNF **MUST** restrict changing the criticality level of a + system security alarm to administrator(s). +* R-13627 The VNF **MUST** monitor API invocation patterns to detect + anomalous access patterns that may represent fraudulent access or other + types of attacks, or integrate with tools that implement anomaly and + abuse detection. +* R-21819 The VNF **MUST** support requests for information from law + enforcement and government agencies. +* R-56786 The VNF **MUST** implement “Closed Loop” automatic implementation + (without human intervention) for Known Threats with detection rate in low + false positives. +* R-25094 The VNF **MUST** perform data capture for security functions. +* R-04492 The VNF **MUST** generate security audit logs that must be sent + to Security Analytics Tools for analysis. +* R-19219 The VNF **MUST** provide audit logs that include user ID, dates, + times for log-on and log-off, and terminal location at minimum. +* R-30932 The VNF **MUST** provide security audit logs including records + of successful and rejected system access data and other resource access + attempts. +* R-54816 The VNF **MUST** support the storage of security audit logs + for agreed period of time for forensic analysis. +* R-57271 The VNF **MUST** provide the capability of generating security + audit logs by interacting with the operating system (OS) as appropriate. +* R-84160 The VNF **MUST** have security logging for VNFs and their + OSs be active from initialization. Audit logging includes automatic + routines to maintain activity records and cleanup programs to ensure + the integrity of the audit/logging systems. + +VNF Data Protection Requirements +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This section covers VNF data protection requirements that are mostly +applicable to security monitoring. + + +Data Protection Requirements + +* R-58964 The VNF **MUST** provide the capability to restrict read + and write access to data. +* R-99112 The VNF **MUST** provide the capability to restrict access + to data to specific users. +* R-83227 The VNF **MUST** Provide the capability to encrypt data in + transit on a physical or virtual network. +* R-32641 The VNF **MUST** provide the capability to encrypt data on + non-volatile memory. +* R-13151 The VNF **SHOULD** disable the paging of the data requiring + encryption, if possible, where the encryption of non-transient data is + required on a device for which the operating system performs paging to + virtual memory. If not possible to disable the paging of the data + requiring encryption, the virtual memory should be encrypted. +* R-93860 The VNF **MUST** provide the capability to integrate with an + external encryption service. +* R-73067 The VNF **MUST** use industry standard cryptographic algorithms + and standard modes of operations when implementing cryptography. +* R-22645 The VNF **SHOULD** use commercial algorithms only when there + are no applicable governmental standards for specific cryptographic + functions, e.g., public key cryptography, message digests. +* R-12467 The VNF **MUST NOT** use the SHA, DSS, MD5, SHA-1 and + Skipjack algorithms or other compromised encryption. +* R-02170 The VNF **MUST** use, whenever possible, standard implementations + of security applications, protocols, and format, e.g., S/MIME, TLS, SSH, + IPSec, X.509 digital certificates for cryptographic implementations. + These implementations must be purchased from reputable vendors and must + not be developed in-house. +* R-70933 The VNF **MUST** provide the ability to migrate to newer + versions of cryptographic algorithms and protocols with no impact. +* R-44723 The VNF **MUST** use symmetric keys of at least 112 bits in length. +* R-25401 The VNF **MUST** use asymmetric keys of at least 2048 bits in length. +* R-95864 The VNF **MUST** use commercial tools that comply with X.509 + standards and produce x.509 compliant keys for public/private key generation. +* R-12110 The VNF **MUST NOT** use keys generated or derived from + predictable functions or values, e.g., values considered predictable + include user identity information, time of day, stored/transmitted data. +* R-52060 The VNF **MUST** provide the capability to configure encryption + algorithms or devices so that they comply with the laws of the jurisdiction + in which there are plans to use data encryption. +* R-69610 The VNF **MUST** provide the capability of using certificates + issued from a Certificate Authority not provided by the VNF provider. +* R-83500 The VNF **MUST** provide the capability of allowing certificate + renewal and revocation. +* R-29977 The VNF **MUST** provide the capability of testing the validity + of a digital certificate by validating the CA signature on the certificate. +* R-24359 The VNF **MUST** provide the capability of testing the validity + of a digital certificate by validating the date the certificate is being + used is within the validity period for the certificate. +* R-39604 The VNF **MUST** provide the capability of testing the + validity of a digital certificate by checking the Certificate Revocation + List (CRL) for the certificates of that type to ensure that the + certificate has not been revoked. +* R-75343 The VNF **MUST** provide the capability of testing the + validity of a digital certificate by recognizing the identity represented + by the certificate — the "distinguished name". diff --git a/docs/Chapter4/index.rst b/docs/Chapter4/index.rst new file mode 100644 index 0000000..15fd8df --- /dev/null +++ b/docs/Chapter4/index.rst @@ -0,0 +1,17 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2017 AT&T Intellectual Property. All rights reserved. + + +VNF Development Requirements +============================ + +.. toctree:: + :maxdepth: 2 + + Design + Resiliency + Security + Modularity + Devops + Develop-Steps diff --git a/docs/Chapter5/Creating-Vendor-Specific-VNFM-Adaptor-Microservices.rst b/docs/Chapter5/Creating-Vendor-Specific-VNFM-Adaptor-Microservices.rst new file mode 100644 index 0000000..d8b2c5e --- /dev/null +++ b/docs/Chapter5/Creating-Vendor-Specific-VNFM-Adaptor-Microservices.rst @@ -0,0 +1,34 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2017 AT&T Intellectual Property. All rights reserved. + +Creating Vendor-Specific VNFM Adaptor Microservices +--------------------------------------------------- + +VNFs can be managed by vendor-specific VNFMs. To add a vendor-specific +VNFM to ONAP, a vendor-specific VNFM adaptor is added to ONAP implementing +the interface of the vendor-specific VNFM. + +A vendor-specific VNFM adaptor is a microservice with a unique name and +an appointed port. When started up, the vendor-specific VNFM adaptor +microservice is automatically registered to the Microservices Bus (MSB). +The following RESTful example describes the scenario of registering a +vendor-specific VNFM adaptor to MSB: + +.. code-block:: java + + POST /api/microservices/v1/services + { + "serviceName": "catalog", + "version": "v1", + "url": "/api/catalog/v1", + "protocol": "REST", + "visualRange": "1", + "nodes": [ + { + "ip": "10.74.56.36", + "port": "8988", + "ttl": 0 + } + ] + } diff --git a/docs/Chapter5.rst b/docs/Chapter5/Heat.rst index 830dd5e..fcd614f 100644 --- a/docs/Chapter5.rst +++ b/docs/Chapter5/Heat.rst @@ -2,823 +2,8 @@ .. http://creativecommons.org/licenses/by/4.0 .. Copyright 2017 AT&T Intellectual Property. All rights reserved. - -VNF Modeling Requirements -========================= - -TOSCA YAML ----------- - - -Introduction -^^^^^^^^^^^^^^ - -This reference document is the VNF TOSCA Template Requirements for -ONAP, which provides recommendations and standards for building VNF -TOSCA templates compatible with ONAP initial implementations of -Network Cloud. It has the following features: - -1. VNF TOSCA template designer supports GUI and CLI. - -2. VNF TOSCA template is aligned to the newest TOSCA protocol, “Working - Draft 04-Revision 06”. - -3. VNF TOSCA template supports HPA features, such as NUMA, Hyper - Threading, SRIOV, etc. - -Intended Audience -^^^^^^^^^^^^^^^^^^ - -This document is intended for persons developing VNF TOSCA templates -that will be orchestrated by ONAP. - -Scope -^^^^^^^^^^^^^^^^ - -ONAP implementations of Network Cloud supports TOSCA Templates, also -referred to as TOSCA in this document. - -ONAP requires the TOSCA Templates to follow a specific format. This -document provides the mandatory, recommended, and optional requirements -associated with this format. - -Overview -^^^^^^^^^^^^^^^^ - -The document includes three charters to help the VNF providers to use the -VNF model design tools and understand the VNF package structure and VNF -TOSCA templates. - -In the ONAP, VNF Package and VNFD template can be designed by manually -or via model designer tools. VNF model designer tools can provide the -GUI and CLI tools for the VNF provider to develop the VNF Package and VNFD -template. - -The VNF package structure is align to the NFV TOSCA protocol, and -supports CSAR - -The VNFD and VNF package are all align to the NFV TOSCA protocol, which -supports multiple TOSCA template yaml files, and also supports -self-defined node or other extensions. - -NFV TOSCA Template -^^^^^^^^^^^^^^^^^^^^ - -TOSCA templates supported by ONAP must follow the requirements -enumerated in this section. - -TOSCA Introduction -^^^^^^^^^^^^^^^^^^^ - -TOSCA defines a Meta model for defining IT services. This Meta model -defines both the structure of a service as well as how to manage it. A -Topology Template (also referred to as the topology model of a service) -defines the structure of a service. Plans define the process models that -are used to create and terminate a service as well as to manage a -service during its whole lifetime. - -A Topology Template consists of a set of Node Templates and Relationship -Templates that together define the topology model of a service as a (not -necessarily connected) directed graph. A node in this graph is -represented by a *Node Template*. A Node Template specifies the -occurrence of a Node Type as a component of a service. A *Node Type* -defines the properties of such a component (via *Node Type Properties*) -and the operations (via *Interfaces*) available to manipulate the -component. Node Types are defined separately for reuse purposes and a -Node Template references a Node Type and adds usage constraints, such as -how many times the component can occur. - -|image1| - -Figure 1: Structural Elements of Service Template and their Relations - -TOSCA Modeling Principles & Data Model -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -This section describing TOSCA modeling principles and data model for -NFV, which shall be based on [TOSCA-1.0] and [TOSCA-Simple-Profile-YAML -V1.0], or new type based on ETSI NFV requirements, etc. - -VNF Descriptor Template -^^^^^^^^^^^^^^^^^^^^^^^^^ - -The VNF Descriptor (VNFD) describes the topology of the VNF by means of -ETSI NFV IFA011 [IFA011] terms such as VDUs, Connection Points, Virtual -Links, External Connection Points, Scaling Aspects, Instantiation Levels -and Deployment Flavours. - -The VNFD (VNF Descriptor) is read by both the NFVO and the VNFM. It -represents the contract & interface of a VNF and ensures the -interoperability across the NFV functional blocks. - -The main parts of the VNFD are the following: - -- VNF topology: it is modeled in a cloud agnostic way using virtualized - containers and their connectivity. Virtual Deployment Units (VDU) - describe the capabilities of the virtualized containers, such as - virtual CPU, RAM, disks; their connectivity is modeled with VDU - Connection Point Descriptors (VduCpd), Virtual Link Descriptors (Vld) - and VNF External Connection Point Descriptors (VnfExternalCpd); - -- VNF deployment aspects: they are described in one or more deployment - flavours, including instantiation levels, supported LCM operations, - VNF LCM operation configuration parameters, placement constraints - (affinity / antiaffinity), minimum and maximum VDU instance numbers, - and scaling aspect for horizontal scaling. - -The following table defines the TOSCA Type “derived from” values that -SHALL be used when using the TOSCA Simple Profile for NFV version 1.0 -specification [TOSCA-Simple-Profile-NFV-v1.0] for NFV VNFD with aggreed -changes from ETSI SOL001 draft. - -+---------------------+------------------------------------+-----------------+ -| **ETSI NFV Element**| **TOSCA VNFD** | **Derived from**| -| | | | -| **[IFA011]** | **[TOSCA-Simple-Profile-NFV-v1.0]**| | -+=====================+====================================+=================+ -| VNF | tosca.nodes.nfv.VNF | tosca.nodes.Root| -+---------------------+------------------------------------+-----------------+ -| Cpd (Connection | tosca.nodes.nfv.Cp | tosca.nodes.Root| -| Point) | tosca.nodes.nfv.Cp | tosca.nodes.Root| -+---------------------+------------------------------------+-----------------+ -| VduCpd (internal | tosca.nodes.nfv.VduCp | tosca.nodes.\ | -| connection point) | | nfv.Cp | -+---------------------+------------------------------------+-----------------+ -| VnfVirtualLinkDesc | tosca.nodes.nfv.VnfVirtualLink | tosca.nodes.Root| -| (Virtual Link) | | | -+---------------------+------------------------------------+-----------------+ -| VDU Virtual Storage | tosca.nodes.nfv.VDU.VirtualStorage | tosca.nodes.Root| -+---------------------+------------------------------------+-----------------+ -| VDU Virtual Compute | tosca.nodes.nfv.VDU.Compute | tosca.nodes.Root| -+---------------------+------------------------------------+-----------------+ -| Software Image | | | -+---------------------+------------------------------------+-----------------+ -| Deployment Flavour | | | -+---------------------+------------------------------------+-----------------+ -| Scaling Aspect | | | -+---------------------+------------------------------------+-----------------+ -| Element Group | | | -+---------------------+------------------------------------+-----------------+ -| Instantiation | | | -| Level | | | -+---------------------+------------------------------------+-----------------+ - - -+--------------------------------------------------------------------+ -| +--------------------------------------------------------------+ | -| | tosca\_definitions\_version: tosca\_simple\_yaml\_1\_0 | | -| | | | -| | description: VNFD TOSCA file demo | | -| | | | -| | imports: | | -| | | | -| | - TOSCA\_definition\_nfv\_1\_0.yaml | | -| | | | -| | - TOSCA\_definition\_nfv\_ext\_1\_0.yaml | | -| | | | -| | | **node\_types: | | -| | tosca.nodes.nfv.VNF.vOpenNAT: | | -| | derived\_from:** tosca.nodes.nfv.VNF | | -| | | **requirements: | | -| | **- **sriov\_plane: | | -| | capability:** tosca.capabilities.nfv.VirtualLinkable | | -| | | **node:** tosca.nodes.nfv.VnfVirtualLinkDesc | | -| | | **relationship:** tosca.relationships.nfv.VirtualLinksTo | | -| +--------------------------------------------------------------+ | -+====================================================================+ -+--------------------------------------------------------------------+ - -HPA Requirements -^^^^^^^^^^^^^^^^^^ - -1. SR-IOV Passthrought - -Definitions of SRIOV\_Port are necessary if VDU supports SR-IOV. Here is -an example. - -+------------------------------------------------+ -| node\_templates: | -| | -| vdu\_vNat: | -| | -| SRIOV\_Port: | -| | -| attributes: | -| | -| tosca\_name: SRIOV\_Port | -| | -| properties: | -| | -| virtual\_network\_interface\_requirements: | -| | -| - name: sriov | -| | -| support\_mandatory: false | -| | -| description: sriov | -| | -| requirement: | -| | -| SRIOV: true | -| | -| role: root | -| | -| description: sriov port | -| | -| layer\_protocol: ipv4 | -| | -| requirements: | -| | -| - virtual\_binding: | -| | -| capability: virtual\_binding | -| | -| node: vdu\_vNat | -| | -| relationship: | -| | -| type: tosca.relationships.nfv.VirtualBindsTo | -| | -| - virtual\_link: | -| | -| node: tosca.nodes.Root | -| | -| type: tosca.nodes.nfv.VduCpd | -| | -| substitution\_mappings: | -| | -| requirements: | -| | -| sriov\_plane: | -| | -| - SRIOV\_Port | -| | -| - virtual\_link | -| | -| node\_type: tosca.nodes.nfv.VNF.vOpenNAT | -+------------------------------------------------+ - -2. Hugepages - -Definitions of mem\_page\_size as one property shall be added to -Properties and set the value to large if one VDU node supports -huagepages. Here is an example. - -+----------------------------------+ -| node\_templates: | -| | -| vdu\_vNat: | -| | -| Hugepages: | -| | -| attributes: | -| | -| tosca\_name: Huge\_pages\_demo | -| | -| properties: | -| | -| mem\_page\_size:large | -+==================================+ -+----------------------------------+ - -3. NUMA (CPU/Mem) - -Likewise, we shall add definitions of numa to -requested\_additional\_capabilities if we wand VUD nodes to support -NUMA. Here is an example. - -+-------------------------------------------------+ -| topology\_template: | -| | -| node\_templates: | -| | -| vdu\_vNat: | -| | -| capabilities: | -| | -| virtual\_compute: | -| | -| properties: | -| | -| virtual\_memory: | -| | -| numa\_enabled: true | -| | -| virtual\_mem\_size: 2 GB | -| | -| requested\_additional\_capabilities: | -| | -| numa: | -| | -| support\_mandatory: true | -| | -| requested\_additional\_capability\_name: numa | -| | -| target\_performance\_parameters: | -| | -| hw:numa\_nodes: "2" | -| | -| hw:numa\_cpus.0: "0,1" | -| | -| hw:numa\_mem.0: "1024" | -| | -| hw:numa\_cpus.1: "2,3,4,5" | -| | -| hw:numa\_mem.1: "1024" | -+-------------------------------------------------+ - -4. Hyper-Theading - -Definitions of Hyper-Theading are necessary as one of -requested\_additional\_capabilities of one VUD node if that node -supports Hyper-Theading. Here is an example. - -+-------------------------------------------------------------+ -| topology\_template: | -| | -| node\_templates: | -| | -| vdu\_vNat: | -| | -| capabilities: | -| | -| virtual\_compute: | -| | -| properties: | -| | -| virtual\_memory: | -| | -| numa\_enabled: true | -| | -| virtual\_mem\_size: 2 GB | -| | -| requested\_additional\_capabilities: | -| | -| hyper\_threading: | -| | -| support\_mandatory: true | -| | -| requested\_additional\_capability\_name: hyper\_threading | -| | -| target\_performance\_parameters: | -| | -| hw:cpu\_sockets : "2" | -| | -| hw:cpu\_threads : "2" | -| | -| hw:cpu\_cores : "2" | -| | -| hw:cpu\_threads\_policy: "isolate" | -+-------------------------------------------------------------+ - -5. OVS+DPDK - -Definitions of ovs\_dpdk are necessary as one of -requested\_additional\_capabilities of one VUD node if that node -supports dpdk. Here is an example. - -+------------------------------------------------------+ -| topology\_template: | -| | -| node\_templates: | -| | -| vdu\_vNat: | -| | -| capabilities: | -| | -| virtual\_compute: | -| | -| properties: | -| | -| virtual\_memory: | -| | -| numa\_enabled: true | -| | -| virtual\_mem\_size: 2 GB | -| | -| requested\_additional\_capabilities: | -| | -| ovs\_dpdk: | -| | -| support\_mandatory: true | -| | -| requested\_additional\_capability\_name: ovs\_dpdk | -| | -| target\_performance\_parameters: | -| | -| sw:ovs\_dpdk: "true" | -+------------------------------------------------------+ - -NFV TOSCA Type Definition -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -tosca.capabilites.nfv.VirtualCompute -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -This capability is used with the properties specified in ETSI SOL001 draft. - -tosca.nodes.nfv.VDU.Compute -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The NFV Virtualization Deployment Unit (VDU) compute node type -represents a VDU entity which it describes the deployment and -operational behavior of a VNF component (VNFC), as defined by **[ETSI -NFV IFA011].** - -+-----------------------+-------------------------------+ -| Shorthand Name | VDU.Compute | -+=======================+===============================+ -| Type Qualified Name | tosca:VDU.Compute | -+-----------------------+-------------------------------+ -| Type URI | tosca.nodes.nfv.VDU.Compute | -+-----------------------+-------------------------------+ -| derived\_from | tosca.nodes.Compute | -+-----------------------+-------------------------------+ - - - -Attributes -++++++++++++ - -None - - -Capabilities -++++++++++++++ - -+------------+--------------------+------------+------------------------------+ -| Name | Type | Constraints| Description | -+============+====================+============+==============================+ -| virtual\ | tosca.\ | | Describes virtual compute | -| _compute | capabilities.nfv.\ | | resources capabilities. | -| | VirtualCompute | | | -+------------+--------------------+------------+------------------------------+ -| monitoring\| tosca.\ | None | Monitoring parameter, which | -| _parameter | capabilities.nfv.\ | | can be tracked for a VNFC | -| | Metric | | based on this VDU | -| | | | | -| | | | Examples include: | -| | | | memory-consumption, | -| | | | CPU-utilisation, | -| | | | bandwidth-consumption, VNFC | -| | | | downtime, etc. | -+------------+--------------------+------------+------------------------------+ -| Virtual\ | tosca.\ | | Defines ability of | -| _binding | capabilities.nfv.\ | | VirtualBindable | -| | VirtualBindable | | | -| | | | | -| | editor note: need | | | -| | to create a | | | -| | capability type | | | -+------------+--------------------+------------+------------------------------+ - -Definition -++++++++++++ - -+-----------------------------------------------------------------------------+ -| tosca.nodes.nfv.VDU.Compute: | -| | -| derived\_from: tosca.nodes.Compute | -| | -| properties: | -| | -| name: | -| | -| type: string | -| | -| required: true | -| | -| description: | -| | -| type: string | -| | -| required: true | -| | -| boot\_order: | -| | -| type: list # explicit index (boot index) not necessary, contrary to IFA011 | -| | -| entry\_schema: | -| | -| type: string | -| | -| required: false | -| | -| nfvi\_constraints: | -| | -| type: list | -| | -| entry\_schema: | -| | -| type: string | -| | -| required: false | -| | -| configurable\_properties: | -| | -| type: map | -| | -| entry\_schema: | -| | -| type: tosca.datatypes.nfv.VnfcConfigurableProperties | -| | -| required: true | -| | -| attributes: | -| | -| private\_address: | -| | -| status: deprecated | -| | -| public\_address: | -| | -| status: deprecated | -| | -| networks: | -| | -| status: deprecated | -| | -| ports: | -| | -| status: deprecated | -| | -| capabilities: | -| | -| virtual\_compute: | -| | -| type: tosca.capabilities.nfv.VirtualCompute | -| | -| virtual\_binding: | -| | -| type: tosca.capabilities.nfv.VirtualBindable | -| | -| #monitoring\_parameter: | -| | -| # modeled as ad hoc (named) capabilities in VDU node template | -| | -| # for example: | -| | -| #capabilities: | -| | -| # cpu\_load: tosca.capabilities.nfv.Metric | -| | -| # memory\_usage: tosca.capabilities.nfv.Metric | -| | -| host: #Editor note: FFS. How this capabilities should be used in NFV Profile| -| | -| type: `*tosca.capabilities.Container* <#DEFN_TYPE_CAPABILITIES_CONTAINER>`__| -| | -| valid\_source\_types: | -| [`*tosca.nodes.SoftwareComponent* <#DEFN_TYPE_NODES_SOFTWARE_COMPONENT>`__] | -| | -| occurrences: [0,UNBOUNDED] | -| | -| endpoint: | -| | -| occurrences: [0,0] | -| | -| os: | -| | -| occurrences: [0,0] | -| | -| scalable: | -| #Editor note: FFS. How this capabilities should be used in NFV Profile | -| | -| type: `*tosca.capabilities.Scalable* <#DEFN_TYPE_CAPABILITIES_SCALABLE>`__ | -| | -| binding: | -| | -| occurrences: [0,UNBOUND] | -| | -| requirements: | -| | -| - virtual\_storage: | -| | -| capability: tosca.capabilities.nfv.VirtualStorage | -| | -| relationship: tosca.relationships.nfv.VDU.AttachedTo | -| | -| node: tosca.nodes.nfv.VDU.VirtualStorage | -| | -| occurences: [ 0, UNBOUNDED ] | -| | -| - local\_storage: #For NFV Profile, this requirement is deprecated. | -| | -| occurrences: [0,0] | -| | -| artifacts: | -| | -| - sw\_image: | -| | -| file: | -| | -| type: tosca.artifacts.nfv.SwImage | -+-----------------------------------------------------------------------------+ - -Artifact -++++++++++ - -Note: currently not supported. - -+--------+---------+----------------+------------+------------------------+ -| Name | Required| Type | Constraints| Description | -+========+=========+================+============+========================+ -| SwImage| Yes | tosca.\ | | Describes the software | -| | | artifacts.nfv.\| | image which is directly| -| | | SwImage | | realizing this virtual | -| | | | | storage | -+--------+---------+----------------+------------+------------------------+ - - -|image2| - - - -tosca.nodes.nfv.VDU.VirtualStorage -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The NFV VirtualStorage node type represents a virtual storage entity -which it describes the deployment and operational behavior of a virtual -storage resources, as defined by **[ETSI NFV IFA011].** - -**[editor note]** open issue: should NFV profile use the current storage -model as described in YAML 1.1. Pending on Shitao proposal (see -NFVIFA(17)000110 discussion paper) - -**[editor note]** new relationship type as suggested in Matt -presentation. Slide 8. With specific rules of “valid\_target\_type” - -+---------------------------+--------------------------------------+ -| **Shorthand Name** | VirtualStorage | -+===========================+======================================+ -| **Type Qualified Name** | tosca: VirtualStorage | -+---------------------------+--------------------------------------+ -| **Type URI** | tosca.nodes.nfv.VDU.VirtualStorage | -+---------------------------+--------------------------------------+ -| **derived\_from** | tosca.nodes.Root | -+---------------------------+--------------------------------------+ - -tosca.artifacts.nfv.SwImage -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -+---------------------------+------------------------------------+ -| **Shorthand Name** | SwImage | -+===========================+====================================+ -| **Type Qualified Name** | tosca:SwImage | -+---------------------------+------------------------------------+ -| **Type URI** | tosca.artifacts.nfv.SwImage | -+---------------------------+------------------------------------+ -| **derived\_from** | tosca.artifacts.Deployment.Image | -+---------------------------+------------------------------------+ - -Properties -++++++++++++ - -+-----------------+---------+----------+------------+-------------------------+ -| Name | Required| Type | Constraints| Description | -+=================+=========+==========+============+=========================+ -| name | yes | string | | Name of this software | -| | | | | image | -+-----------------+---------+----------+------------+-------------------------+ -| version | yes | string | | Version of this software| -| | | | | image | -+-----------------+---------+----------+------------+-------------------------+ -| checksum | yes | string | | Checksum of the software| -| | | | | image file | -+-----------------+---------+----------+------------+-------------------------+ -| container\ | yes | string | | The container format | -| _format | | | | describes the container | -| | | | | file format in which | -| | | | | software image is | -| | | | | provided. | -+-----------------+---------+----------+------------+-------------------------+ -| disk\_format | yes | string | | The disk format of a | -| | | | | software image is the | -| | | | | format of the underlying| -| | | | | disk image | -+-----------------+---------+----------+------------+-------------------------+ -| min\_disk | yes | scalar-\ | | The minimal disk size | -| | | unit.size| | requirement for this | -| | | | | software image. | -+-----------------+---------+----------+------------+-------------------------+ -| min\_ram | no | scalar-\ | | The minimal RAM | -| | | unit.size| | requirement for this | -| | | | | software image. | -+-----------------+---------+----------+------------+-------------------------+ -| Size | yes | scalar-\ | | The size of this | -| | | unit.size| | software image | -+-----------------+---------+----------+------------+-------------------------+ -| sw\_image | yes | string | | A reference to the | -| | | | | actual software image | -| | | | | within VNF Package, or | -| | | | | url. | -+-----------------+---------+----------+------------+-------------------------+ -| operating\ | no | string | | Identifies the operating| -| _system | | | | system used in the | -| | | | | software image. | -+-----------------+---------+----------+------------+-------------------------+ -| supported\ | no | list | | Identifies the | -| _virtualization\| | | | virtualization | -| _enviroment | | | | environments (e.g. | -| | | | | hypervisor) compatible | -| | | | | with this software image| -+-----------------+---------+----------+------------+-------------------------+ - -Definition -+++++++++++ - -+-----------------------------------------------------+ -| tosca.artifacts.nfv.SwImage: | -| | -| derived\_from: tosca.artifacts.Deployment.Image | -| | -| properties or metadata: | -| | -| #id: | -| | -| # node name | -| | -| name: | -| | -| type: string | -| | -| required: true | -| | -| version: | -| | -| type: string | -| | -| required: true | -| | -| checksum: | -| | -| type: string | -| | -| required: true | -| | -| container\_format: | -| | -| type: string | -| | -| required: true | -| | -| disk\_format: | -| | -| type: string | -| | -| required: true | -| | -| min\_disk: | -| | -| type: scalar-unit.size # Number | -| | -| required: true | -| | -| min\_ram: | -| | -| type: scalar-unit.size # Number | -| | -| required: false | -| | -| size: | -| | -| type: scalar-unit.size # Number | -| | -| required: true | -| | -| sw\_image: | -| | -| type: string | -| | -| required: true | -| | -| operating\_system: | -| | -| type: string | -| | -| required: false | -| | -| supported\_virtualisation\_environments: | -| | -| type: list | -| | -| entry\_schema: | -| | -| type: string | -| | -| required: false | -+-----------------------------------------------------+ - -.. |image1| image:: Image1.png - :width: 5.76806in - :height: 4.67161in -.. |image2| image:: Image2.png - :width: 5.40486in - :height: 2.46042in - - Heat -------------- +---- General Guidelines ^^^^^^^^^^^^^^^^^^ @@ -5388,50 +4573,3 @@ to the Heat template. *Note:* It is important to follow this convention to the extent possible even in the short-term as of the long-term direction. - -VNFM Driver Development Steps ------------------------------------------------------------ - -Refer to the ONAP documentation for VNF Provider instructions on integrating -vendor-specific VNFM adaptors with VF-C. The VNF driver development steps are -highlighted below. - -1. Use the VNF SDK tools to design the VNF with TOSCA models to output -the VNF TOSCA package. Using the VNF SDK tools, the VNF package can be -validated and tested. - -2. The VNF Provider supplies a vendor-specific VNFM driver in ONAP, which -is a microservice providing a translation interface from VF-C to -the vendor-specific VNFM. The interface definitions of vendor-specific -VNFM adaptors are supplied by the VNF Providers themselves. - -Creating Vendor-Specific VNFM Adaptor Microservices ------------------------------------------------------------------------------------------------- - -VNFs can be managed by vendor-specific VNFMs. To add a vendor-specific -VNFM to ONAP, a vendor-specific VNFM adaptor is added to ONAP implementing -the interface of the vendor-specific VNFM. - -A vendor-specific VNFM adaptor is a microservice with a unique name and -an appointed port. When started up, the vendor-specific VNFM adaptor -microservice is automatically registered to the Microservices Bus (MSB). -The following RESTful example describes the scenario of registering a -vendor-specific VNFM adaptor to MSB: - -.. code-block:: java - - POST /api/microservices/v1/services - { - "serviceName": "catalog", - "version": "v1", - "url": "/api/catalog/v1", - "protocol": "REST", - "visualRange": "1", - "nodes": [ - { - "ip": "10.74.56.36", - "port": "8988", - "ttl": 0 - } - ] - } diff --git a/docs/Chapter5/Tosca.rst b/docs/Chapter5/Tosca.rst new file mode 100644 index 0000000..3dbc2f3 --- /dev/null +++ b/docs/Chapter5/Tosca.rst @@ -0,0 +1,813 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2017 AT&T Intellectual Property. All rights reserved. + +TOSCA YAML +---------- + + +Introduction +^^^^^^^^^^^^ + +This reference document is the VNF TOSCA Template Requirements for +ONAP, which provides recommendations and standards for building VNF +TOSCA templates compatible with ONAP initial implementations of +Network Cloud. It has the following features: + +1. VNF TOSCA template designer supports GUI and CLI. + +2. VNF TOSCA template is aligned to the newest TOSCA protocol, “Working + Draft 04-Revision 06”. + +3. VNF TOSCA template supports HPA features, such as NUMA, Hyper + Threading, SRIOV, etc. + +Intended Audience +^^^^^^^^^^^^^^^^^^ + +This document is intended for persons developing VNF TOSCA templates +that will be orchestrated by ONAP. + +Scope +^^^^^^^^^^^^^^^^ + +ONAP implementations of Network Cloud supports TOSCA Templates, also +referred to as TOSCA in this document. + +ONAP requires the TOSCA Templates to follow a specific format. This +document provides the mandatory, recommended, and optional requirements +associated with this format. + +Overview +^^^^^^^^^^^^^^^^ + +The document includes three charters to help the VNF providers to use the +VNF model design tools and understand the VNF package structure and VNF +TOSCA templates. + +In the ONAP, VNF Package and VNFD template can be designed by manually +or via model designer tools. VNF model designer tools can provide the +GUI and CLI tools for the VNF provider to develop the VNF Package and VNFD +template. + +The VNF package structure is align to the NFV TOSCA protocol, and +supports CSAR + +The VNFD and VNF package are all align to the NFV TOSCA protocol, which +supports multiple TOSCA template yaml files, and also supports +self-defined node or other extensions. + +NFV TOSCA Template +^^^^^^^^^^^^^^^^^^^^ + +TOSCA templates supported by ONAP must follow the requirements +enumerated in this section. + +TOSCA Introduction +^^^^^^^^^^^^^^^^^^^ + +TOSCA defines a Meta model for defining IT services. This Meta model +defines both the structure of a service as well as how to manage it. A +Topology Template (also referred to as the topology model of a service) +defines the structure of a service. Plans define the process models that +are used to create and terminate a service as well as to manage a +service during its whole lifetime. + +A Topology Template consists of a set of Node Templates and Relationship +Templates that together define the topology model of a service as a (not +necessarily connected) directed graph. A node in this graph is +represented by a *Node Template*. A Node Template specifies the +occurrence of a Node Type as a component of a service. A *Node Type* +defines the properties of such a component (via *Node Type Properties*) +and the operations (via *Interfaces*) available to manipulate the +component. Node Types are defined separately for reuse purposes and a +Node Template references a Node Type and adds usage constraints, such as +how many times the component can occur. + +|image1| + +Figure 1: Structural Elements of Service Template and their Relations + +TOSCA Modeling Principles & Data Model +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This section describing TOSCA modeling principles and data model for +NFV, which shall be based on [TOSCA-1.0] and [TOSCA-Simple-Profile-YAML +V1.0], or new type based on ETSI NFV requirements, etc. + +VNF Descriptor Template +^^^^^^^^^^^^^^^^^^^^^^^^^ + +The VNF Descriptor (VNFD) describes the topology of the VNF by means of +ETSI NFV IFA011 [IFA011] terms such as VDUs, Connection Points, Virtual +Links, External Connection Points, Scaling Aspects, Instantiation Levels +and Deployment Flavours. + +The VNFD (VNF Descriptor) is read by both the NFVO and the VNFM. It +represents the contract & interface of a VNF and ensures the +interoperability across the NFV functional blocks. + +The main parts of the VNFD are the following: + +- VNF topology: it is modeled in a cloud agnostic way using virtualized + containers and their connectivity. Virtual Deployment Units (VDU) + describe the capabilities of the virtualized containers, such as + virtual CPU, RAM, disks; their connectivity is modeled with VDU + Connection Point Descriptors (VduCpd), Virtual Link Descriptors (Vld) + and VNF External Connection Point Descriptors (VnfExternalCpd); + +- VNF deployment aspects: they are described in one or more deployment + flavours, including instantiation levels, supported LCM operations, + VNF LCM operation configuration parameters, placement constraints + (affinity / antiaffinity), minimum and maximum VDU instance numbers, + and scaling aspect for horizontal scaling. + +The following table defines the TOSCA Type “derived from” values that +SHALL be used when using the TOSCA Simple Profile for NFV version 1.0 +specification [TOSCA-Simple-Profile-NFV-v1.0] for NFV VNFD with aggreed +changes from ETSI SOL001 draft. + ++---------------------+------------------------------------+-----------------+ +| **ETSI NFV Element**| **TOSCA VNFD** | **Derived from**| +| | | | +| **[IFA011]** | **[TOSCA-Simple-Profile-NFV-v1.0]**| | ++=====================+====================================+=================+ +| VNF | tosca.nodes.nfv.VNF | tosca.nodes.Root| ++---------------------+------------------------------------+-----------------+ +| Cpd (Connection | tosca.nodes.nfv.Cp | tosca.nodes.Root| +| Point) | tosca.nodes.nfv.Cp | tosca.nodes.Root| ++---------------------+------------------------------------+-----------------+ +| VduCpd (internal | tosca.nodes.nfv.VduCp | tosca.nodes.\ | +| connection point) | | nfv.Cp | ++---------------------+------------------------------------+-----------------+ +| VnfVirtualLinkDesc | tosca.nodes.nfv.VnfVirtualLink | tosca.nodes.Root| +| (Virtual Link) | | | ++---------------------+------------------------------------+-----------------+ +| VDU Virtual Storage | tosca.nodes.nfv.VDU.VirtualStorage | tosca.nodes.Root| ++---------------------+------------------------------------+-----------------+ +| VDU Virtual Compute | tosca.nodes.nfv.VDU.Compute | tosca.nodes.Root| ++---------------------+------------------------------------+-----------------+ +| Software Image | | | ++---------------------+------------------------------------+-----------------+ +| Deployment Flavour | | | ++---------------------+------------------------------------+-----------------+ +| Scaling Aspect | | | ++---------------------+------------------------------------+-----------------+ +| Element Group | | | ++---------------------+------------------------------------+-----------------+ +| Instantiation | | | +| Level | | | ++---------------------+------------------------------------+-----------------+ + + ++--------------------------------------------------------------------+ +| +--------------------------------------------------------------+ | +| | tosca\_definitions\_version: tosca\_simple\_yaml\_1\_0 | | +| | | | +| | description: VNFD TOSCA file demo | | +| | | | +| | imports: | | +| | | | +| | - TOSCA\_definition\_nfv\_1\_0.yaml | | +| | | | +| | - TOSCA\_definition\_nfv\_ext\_1\_0.yaml | | +| | | | +| | | **node\_types: | | +| | tosca.nodes.nfv.VNF.vOpenNAT: | | +| | derived\_from:** tosca.nodes.nfv.VNF | | +| | | **requirements: | | +| | **- **sriov\_plane: | | +| | capability:** tosca.capabilities.nfv.VirtualLinkable | | +| | | **node:** tosca.nodes.nfv.VnfVirtualLinkDesc | | +| | | **relationship:** tosca.relationships.nfv.VirtualLinksTo | | +| +--------------------------------------------------------------+ | ++====================================================================+ ++--------------------------------------------------------------------+ + +HPA Requirements +^^^^^^^^^^^^^^^^^^ + +1. SR-IOV Passthrought + +Definitions of SRIOV\_Port are necessary if VDU supports SR-IOV. Here is +an example. + ++------------------------------------------------+ +| node\_templates: | +| | +| vdu\_vNat: | +| | +| SRIOV\_Port: | +| | +| attributes: | +| | +| tosca\_name: SRIOV\_Port | +| | +| properties: | +| | +| virtual\_network\_interface\_requirements: | +| | +| - name: sriov | +| | +| support\_mandatory: false | +| | +| description: sriov | +| | +| requirement: | +| | +| SRIOV: true | +| | +| role: root | +| | +| description: sriov port | +| | +| layer\_protocol: ipv4 | +| | +| requirements: | +| | +| - virtual\_binding: | +| | +| capability: virtual\_binding | +| | +| node: vdu\_vNat | +| | +| relationship: | +| | +| type: tosca.relationships.nfv.VirtualBindsTo | +| | +| - virtual\_link: | +| | +| node: tosca.nodes.Root | +| | +| type: tosca.nodes.nfv.VduCpd | +| | +| substitution\_mappings: | +| | +| requirements: | +| | +| sriov\_plane: | +| | +| - SRIOV\_Port | +| | +| - virtual\_link | +| | +| node\_type: tosca.nodes.nfv.VNF.vOpenNAT | ++------------------------------------------------+ + +2. Hugepages + +Definitions of mem\_page\_size as one property shall be added to +Properties and set the value to large if one VDU node supports +huagepages. Here is an example. + ++----------------------------------+ +| node\_templates: | +| | +| vdu\_vNat: | +| | +| Hugepages: | +| | +| attributes: | +| | +| tosca\_name: Huge\_pages\_demo | +| | +| properties: | +| | +| mem\_page\_size:large | ++==================================+ ++----------------------------------+ + +3. NUMA (CPU/Mem) + +Likewise, we shall add definitions of numa to +requested\_additional\_capabilities if we wand VUD nodes to support +NUMA. Here is an example. + ++-------------------------------------------------+ +| topology\_template: | +| | +| node\_templates: | +| | +| vdu\_vNat: | +| | +| capabilities: | +| | +| virtual\_compute: | +| | +| properties: | +| | +| virtual\_memory: | +| | +| numa\_enabled: true | +| | +| virtual\_mem\_size: 2 GB | +| | +| requested\_additional\_capabilities: | +| | +| numa: | +| | +| support\_mandatory: true | +| | +| requested\_additional\_capability\_name: numa | +| | +| target\_performance\_parameters: | +| | +| hw:numa\_nodes: "2" | +| | +| hw:numa\_cpus.0: "0,1" | +| | +| hw:numa\_mem.0: "1024" | +| | +| hw:numa\_cpus.1: "2,3,4,5" | +| | +| hw:numa\_mem.1: "1024" | ++-------------------------------------------------+ + +4. Hyper-Theading + +Definitions of Hyper-Theading are necessary as one of +requested\_additional\_capabilities of one VUD node if that node +supports Hyper-Theading. Here is an example. + ++-------------------------------------------------------------+ +| topology\_template: | +| | +| node\_templates: | +| | +| vdu\_vNat: | +| | +| capabilities: | +| | +| virtual\_compute: | +| | +| properties: | +| | +| virtual\_memory: | +| | +| numa\_enabled: true | +| | +| virtual\_mem\_size: 2 GB | +| | +| requested\_additional\_capabilities: | +| | +| hyper\_threading: | +| | +| support\_mandatory: true | +| | +| requested\_additional\_capability\_name: hyper\_threading | +| | +| target\_performance\_parameters: | +| | +| hw:cpu\_sockets : "2" | +| | +| hw:cpu\_threads : "2" | +| | +| hw:cpu\_cores : "2" | +| | +| hw:cpu\_threads\_policy: "isolate" | ++-------------------------------------------------------------+ + +5. OVS+DPDK + +Definitions of ovs\_dpdk are necessary as one of +requested\_additional\_capabilities of one VUD node if that node +supports dpdk. Here is an example. + ++------------------------------------------------------+ +| topology\_template: | +| | +| node\_templates: | +| | +| vdu\_vNat: | +| | +| capabilities: | +| | +| virtual\_compute: | +| | +| properties: | +| | +| virtual\_memory: | +| | +| numa\_enabled: true | +| | +| virtual\_mem\_size: 2 GB | +| | +| requested\_additional\_capabilities: | +| | +| ovs\_dpdk: | +| | +| support\_mandatory: true | +| | +| requested\_additional\_capability\_name: ovs\_dpdk | +| | +| target\_performance\_parameters: | +| | +| sw:ovs\_dpdk: "true" | ++------------------------------------------------------+ + +NFV TOSCA Type Definition +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +tosca.capabilites.nfv.VirtualCompute +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This capability is used with the properties specified in ETSI SOL001 draft. + +tosca.nodes.nfv.VDU.Compute +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The NFV Virtualization Deployment Unit (VDU) compute node type +represents a VDU entity which it describes the deployment and +operational behavior of a VNF component (VNFC), as defined by **[ETSI +NFV IFA011].** + ++-----------------------+-------------------------------+ +| Shorthand Name | VDU.Compute | ++=======================+===============================+ +| Type Qualified Name | tosca:VDU.Compute | ++-----------------------+-------------------------------+ +| Type URI | tosca.nodes.nfv.VDU.Compute | ++-----------------------+-------------------------------+ +| derived\_from | tosca.nodes.Compute | ++-----------------------+-------------------------------+ + + + +Attributes +++++++++++++ + +None + + +Capabilities +++++++++++++++ + ++------------+--------------------+------------+------------------------------+ +| Name | Type | Constraints| Description | ++============+====================+============+==============================+ +| virtual\ | tosca.\ | | Describes virtual compute | +| _compute | capabilities.nfv.\ | | resources capabilities. | +| | VirtualCompute | | | ++------------+--------------------+------------+------------------------------+ +| monitoring\| tosca.\ | None | Monitoring parameter, which | +| _parameter | capabilities.nfv.\ | | can be tracked for a VNFC | +| | Metric | | based on this VDU | +| | | | | +| | | | Examples include: | +| | | | memory-consumption, | +| | | | CPU-utilisation, | +| | | | bandwidth-consumption, VNFC | +| | | | downtime, etc. | ++------------+--------------------+------------+------------------------------+ +| Virtual\ | tosca.\ | | Defines ability of | +| _binding | capabilities.nfv.\ | | VirtualBindable | +| | VirtualBindable | | | +| | | | | +| | editor note: need | | | +| | to create a | | | +| | capability type | | | ++------------+--------------------+------------+------------------------------+ + +Definition +++++++++++++ + ++-----------------------------------------------------------------------------+ +| tosca.nodes.nfv.VDU.Compute: | +| | +| derived\_from: tosca.nodes.Compute | +| | +| properties: | +| | +| name: | +| | +| type: string | +| | +| required: true | +| | +| description: | +| | +| type: string | +| | +| required: true | +| | +| boot\_order: | +| | +| type: list # explicit index (boot index) not necessary, contrary to IFA011 | +| | +| entry\_schema: | +| | +| type: string | +| | +| required: false | +| | +| nfvi\_constraints: | +| | +| type: list | +| | +| entry\_schema: | +| | +| type: string | +| | +| required: false | +| | +| configurable\_properties: | +| | +| type: map | +| | +| entry\_schema: | +| | +| type: tosca.datatypes.nfv.VnfcConfigurableProperties | +| | +| required: true | +| | +| attributes: | +| | +| private\_address: | +| | +| status: deprecated | +| | +| public\_address: | +| | +| status: deprecated | +| | +| networks: | +| | +| status: deprecated | +| | +| ports: | +| | +| status: deprecated | +| | +| capabilities: | +| | +| virtual\_compute: | +| | +| type: tosca.capabilities.nfv.VirtualCompute | +| | +| virtual\_binding: | +| | +| type: tosca.capabilities.nfv.VirtualBindable | +| | +| #monitoring\_parameter: | +| | +| # modeled as ad hoc (named) capabilities in VDU node template | +| | +| # for example: | +| | +| #capabilities: | +| | +| # cpu\_load: tosca.capabilities.nfv.Metric | +| | +| # memory\_usage: tosca.capabilities.nfv.Metric | +| | +| host: #Editor note: FFS. How this capabilities should be used in NFV Profile| +| | +| type: `*tosca.capabilities.Container* <#DEFN_TYPE_CAPABILITIES_CONTAINER>`__| +| | +| valid\_source\_types: | +| [`*tosca.nodes.SoftwareComponent* <#DEFN_TYPE_NODES_SOFTWARE_COMPONENT>`__] | +| | +| occurrences: [0,UNBOUNDED] | +| | +| endpoint: | +| | +| occurrences: [0,0] | +| | +| os: | +| | +| occurrences: [0,0] | +| | +| scalable: | +| #Editor note: FFS. How this capabilities should be used in NFV Profile | +| | +| type: `*tosca.capabilities.Scalable* <#DEFN_TYPE_CAPABILITIES_SCALABLE>`__ | +| | +| binding: | +| | +| occurrences: [0,UNBOUND] | +| | +| requirements: | +| | +| - virtual\_storage: | +| | +| capability: tosca.capabilities.nfv.VirtualStorage | +| | +| relationship: tosca.relationships.nfv.VDU.AttachedTo | +| | +| node: tosca.nodes.nfv.VDU.VirtualStorage | +| | +| occurences: [ 0, UNBOUNDED ] | +| | +| - local\_storage: #For NFV Profile, this requirement is deprecated. | +| | +| occurrences: [0,0] | +| | +| artifacts: | +| | +| - sw\_image: | +| | +| file: | +| | +| type: tosca.artifacts.nfv.SwImage | ++-----------------------------------------------------------------------------+ + +Artifact +++++++++++ + +Note: currently not supported. + ++--------+---------+----------------+------------+------------------------+ +| Name | Required| Type | Constraints| Description | ++========+=========+================+============+========================+ +| SwImage| Yes | tosca.\ | | Describes the software | +| | | artifacts.nfv.\| | image which is directly| +| | | SwImage | | realizing this virtual | +| | | | | storage | ++--------+---------+----------------+------------+------------------------+ + + +|image2| + + + +tosca.nodes.nfv.VDU.VirtualStorage +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The NFV VirtualStorage node type represents a virtual storage entity +which it describes the deployment and operational behavior of a virtual +storage resources, as defined by **[ETSI NFV IFA011].** + +**[editor note]** open issue: should NFV profile use the current storage +model as described in YAML 1.1. Pending on Shitao proposal (see +NFVIFA(17)000110 discussion paper) + +**[editor note]** new relationship type as suggested in Matt +presentation. Slide 8. With specific rules of “valid\_target\_type” + ++---------------------------+--------------------------------------+ +| **Shorthand Name** | VirtualStorage | ++===========================+======================================+ +| **Type Qualified Name** | tosca: VirtualStorage | ++---------------------------+--------------------------------------+ +| **Type URI** | tosca.nodes.nfv.VDU.VirtualStorage | ++---------------------------+--------------------------------------+ +| **derived\_from** | tosca.nodes.Root | ++---------------------------+--------------------------------------+ + +tosca.artifacts.nfv.SwImage +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++---------------------------+------------------------------------+ +| **Shorthand Name** | SwImage | ++===========================+====================================+ +| **Type Qualified Name** | tosca:SwImage | ++---------------------------+------------------------------------+ +| **Type URI** | tosca.artifacts.nfv.SwImage | ++---------------------------+------------------------------------+ +| **derived\_from** | tosca.artifacts.Deployment.Image | ++---------------------------+------------------------------------+ + +Properties +++++++++++++ + ++-----------------+---------+----------+------------+-------------------------+ +| Name | Required| Type | Constraints| Description | ++=================+=========+==========+============+=========================+ +| name | yes | string | | Name of this software | +| | | | | image | ++-----------------+---------+----------+------------+-------------------------+ +| version | yes | string | | Version of this software| +| | | | | image | ++-----------------+---------+----------+------------+-------------------------+ +| checksum | yes | string | | Checksum of the software| +| | | | | image file | ++-----------------+---------+----------+------------+-------------------------+ +| container\ | yes | string | | The container format | +| _format | | | | describes the container | +| | | | | file format in which | +| | | | | software image is | +| | | | | provided. | ++-----------------+---------+----------+------------+-------------------------+ +| disk\_format | yes | string | | The disk format of a | +| | | | | software image is the | +| | | | | format of the underlying| +| | | | | disk image | ++-----------------+---------+----------+------------+-------------------------+ +| min\_disk | yes | scalar-\ | | The minimal disk size | +| | | unit.size| | requirement for this | +| | | | | software image. | ++-----------------+---------+----------+------------+-------------------------+ +| min\_ram | no | scalar-\ | | The minimal RAM | +| | | unit.size| | requirement for this | +| | | | | software image. | ++-----------------+---------+----------+------------+-------------------------+ +| Size | yes | scalar-\ | | The size of this | +| | | unit.size| | software image | ++-----------------+---------+----------+------------+-------------------------+ +| sw\_image | yes | string | | A reference to the | +| | | | | actual software image | +| | | | | within VNF Package, or | +| | | | | url. | ++-----------------+---------+----------+------------+-------------------------+ +| operating\ | no | string | | Identifies the operating| +| _system | | | | system used in the | +| | | | | software image. | ++-----------------+---------+----------+------------+-------------------------+ +| supported\ | no | list | | Identifies the | +| _virtualization\| | | | virtualization | +| _enviroment | | | | environments (e.g. | +| | | | | hypervisor) compatible | +| | | | | with this software image| ++-----------------+---------+----------+------------+-------------------------+ + +Definition ++++++++++++ + ++-----------------------------------------------------+ +| tosca.artifacts.nfv.SwImage: | +| | +| derived\_from: tosca.artifacts.Deployment.Image | +| | +| properties or metadata: | +| | +| #id: | +| | +| # node name | +| | +| name: | +| | +| type: string | +| | +| required: true | +| | +| version: | +| | +| type: string | +| | +| required: true | +| | +| checksum: | +| | +| type: string | +| | +| required: true | +| | +| container\_format: | +| | +| type: string | +| | +| required: true | +| | +| disk\_format: | +| | +| type: string | +| | +| required: true | +| | +| min\_disk: | +| | +| type: scalar-unit.size # Number | +| | +| required: true | +| | +| min\_ram: | +| | +| type: scalar-unit.size # Number | +| | +| required: false | +| | +| size: | +| | +| type: scalar-unit.size # Number | +| | +| required: true | +| | +| sw\_image: | +| | +| type: string | +| | +| required: true | +| | +| operating\_system: | +| | +| type: string | +| | +| required: false | +| | +| supported\_virtualisation\_environments: | +| | +| type: list | +| | +| entry\_schema: | +| | +| type: string | +| | +| required: false | ++-----------------------------------------------------+ + +.. |image1| image:: Image1.png + :width: 5.76806in + :height: 4.67161in +.. |image2| image:: Image2.png + :width: 5.40486in + :height: 2.46042in diff --git a/docs/Chapter5/VNFM-Driver-Development-Steps.rst b/docs/Chapter5/VNFM-Driver-Development-Steps.rst new file mode 100644 index 0000000..ac06e9c --- /dev/null +++ b/docs/Chapter5/VNFM-Driver-Development-Steps.rst @@ -0,0 +1,19 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2017 AT&T Intellectual Property. All rights reserved. + +VNFM Driver Development Steps +----------------------------- + +Refer to the ONAP documentation for VNF Provider instructions on integrating +vendor-specific VNFM adaptors with VF-C. The VNF driver development steps are +highlighted below. + +1. Use the VNF SDK tools to design the VNF with TOSCA models to output +the VNF TOSCA package. Using the VNF SDK tools, the VNF package can be +validated and tested. + +2. The VNF Provider supplies a vendor-specific VNFM driver in ONAP, which +is a microservice providing a translation interface from VF-C to +the vendor-specific VNFM. The interface definitions of vendor-specific +VNFM adaptors are supplied by the VNF Providers themselves. diff --git a/docs/Chapter5/index.rst b/docs/Chapter5/index.rst new file mode 100644 index 0000000..e5babb5 --- /dev/null +++ b/docs/Chapter5/index.rst @@ -0,0 +1,15 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2017 AT&T Intellectual Property. All rights reserved. + + +VNF Modeling Requirements +========================= + +.. toctree:: + :maxdepth: 2 + + Tosca + Heat + VNFM-Driver-Development-Steps + Creating-Vendor-Specific-VNFM-Adaptor-Microservices diff --git a/docs/Chapter6.rst b/docs/Chapter6/index.rst index 381306d..f393135 100644 --- a/docs/Chapter6.rst +++ b/docs/Chapter6/index.rst @@ -2,7 +2,6 @@ .. http://creativecommons.org/licenses/by/4.0 .. Copyright 2017 AT&T Intellectual Property. All rights reserved. - Infrastructure Requirements =========================== diff --git a/docs/Chapter7.rst b/docs/Chapter7/Configuration-Management.rst index 9eb9d35..075c005 100644 --- a/docs/Chapter7.rst +++ b/docs/Chapter7/Configuration-Management.rst @@ -2,324 +2,8 @@ .. http://creativecommons.org/licenses/by/4.0 .. Copyright 2017 AT&T Intellectual Property. All rights reserved. - -ONAP Management Requirements -============================ - -The ONAP platform is the part of the larger Network Function -Virtualization/Software Defined Network (NFV/SDN) ecosystem that -is responsible for the efficient control, operation and management -of Virtual Network Function (VNF) capabilities and functions. It -specifies standardized abstractions and interfaces that enable -efficient interoperation of the NVF/SDN ecosystem components. It -enables product/service independent capabilities for design, creation -and runtime lifecycle management (includes all aspects of installation, -change management, assurance, and retirement) of resources in NFV/SDN -environment (see ECOMP white paper ). These capabilities are provided -using two major architectural frameworks: (1) a Design Time Framework -to design, define and program the platform (uniform onboarding), and -(2) a Runtime Execution Framework to execute the logic programmed in -the design environment (uniform delivery and runtime lifecycle -management). The platform delivers an integrated information model -based on the VNF package to express the characteristics and behavior -of these resources in the Design Time Framework. The information model -is utilized by Runtime Execution Framework to manage the runtime -lifecycle of the VNFs. The management processes are orchestrated -across various modules of ONAP to instantiate, configure, scale, -monitor, and reconfigure the VNFs using a set of standard APIs -provided by the VNF developers. - -Although the guidelines and requirements specified in this document -were originally driven by the need to standardize and automate the -management of the virtualized environments (with VNFs) operated by -Service Providers, we believe that most of the requirements are equally -applicable to the operation of the physical network functions (PNFs), -those network functions provided by traditional physical network -elements (e.g. whitebox switches) or customized peripherals (e.g. a -video rendering engine for augmented reality). The primary area of -difference will be in how the network function is orchestrated into -place – VNFs can be much more dynamically created & placed by ONAP -to support varying geographic, availability and scalability needs, -whereas the PNFs have to be deployed a priori in specific locations -based on planning and engineering – their availability and scalability -will be determined by the capabilities offered by the PNFs. - -**PNF** is a vendor-provided Network Function(s) implemented using a -bundled set of hardware and software while VNFs utilize cloud resources -to provide Network Functions through virtualized software modules. PNF -can be supplied by a vendor as a Black BOX (provides no knowledge of its -internal characteristics, logic, and software design/architecture) or as -a White Box (provides detailed knowledge and access of its internal -components and logic) or as a Grey Box (provides limited knowledge and -access to its internal components). - -* Requirements that equally apply to both VNFs and PNFs are defined as - "The xNF MUST/SHOULD/..." -* Requirements that only apply to VNFs are defined as "The VNF MUST/SHOULD/..." -* Requirements that only apply to PNFs are defined as "The PNF MUST/SHOULD/..." - - -Service Design ------------------------------------- - -This section, Service Design, has been left intentionally blank. It -is out-of-scope for the VNF Requirements project for the Amsterdam -release and no numbered requirements are expected. Content may be -added in future updates of this document. - -VNF On-boarding and package management ------------------------------------------------------------------------------ - -Design Definition -^^^^^^^^^^^^^^^^^^ - -The ONAP Design Time Framework provides the ability to design NFV -resources including VNFs, Services, and products. The VNF provider must -provide VNF packages that include a rich set of recipes, management and -functional interfaces, policies, configuration parameters, and -infrastructure requirements that can be utilized by the ONAP Design -module to onboard and catalog these resources. Initially this -information may be provided in documents, but in the near future a -method will be developed to automate as much of the transfer of data as -possible to satisfy its long term requirements. - -The current VNF Package Requirement is based on a subset of the -Requirements contained in the ETSI Document: ETSI GS NFV-MAN 001 v1.1.1 -and GS NFV IFA011 V0.3.0 (2015-10) - Network Functions Virtualization -(NFV), Management and Orchestration, VNF Packaging Specification. - -Resource Description -^^^^^^^^^^^^^^^^^^^^^^ - -* R-77707 The xNF provider **MUST** include a Manifest File that - contains a list of all the components in the xNF package. -* R-66070 The xNF Package **MUST** include xNF Identification Data to - uniquely identify the resource for a given xNF provider. The identification - data must include: an identifier for the xNF, the name of the xNF as was - given by the xNF provider, xNF description, xNF provider, and version. -* R-69565 The xNF Package **MUST** include documentation describing xNF - Management APIs, which must include information and tools for ONAP to - deploy and configure (initially and ongoing) the xNF application(s) - (e.g., NETCONF APIs) which includes a description of configurable - parameters for the xNF and whether the parameters can be configured - after xNF instantiation. -* R-00156 The xNF Package **MUST** include documentation describing xNF - Management APIs, which must include information and tools for ONAP - to monitor the health of the xNF (conditions that require healing - and/or scaling responses). -* R-00068 The xNF Package **MUST** include documentation which includes - a description of parameters that can be monitored for the xNF and - event records (status, fault, flow, session, call, control plane, - etc.) generated by the xNF after instantiation. -* R-12678 The xNF Package **MUST** include documentation which includes a - description of runtime lifecycle events and related actions (e.g., - control responses, tests) which can be performed for the xNF. -* R-84366 The xNF Package **MUST** include documentation describing - xNF Functional APIs that are utilized to build network and - application services. This document describes the externally exposed - functional inputs and outputs for the xNF, including interface - format and protocols supported. -* R-36280 The xNF provider **MUST** provide documentation describing - xNF Functional Capabilities that are utilized to operationalize the - xNF and compose complex services. -* R-98617 The xNF provider **MUST** provide information regarding any - dependency (e.g., affinity, anti-affinity) with other xNFs and resources. - -Resource Configuration -^^^^^^^^^^^^^^^^^^^^^^^ - -* R-89571 The xNF **MUST** support and provide artifacts for configuration - management using at least one of the following technologies; - a) Netconf/YANG, b) Chef, or c) Ansible. - - Note: The requirements for Netconf/YANG, Chef, and Ansible protocols - are provided separately and must be supported only if the corresponding - protocol option is provided by the xNF providor. - -Configuration Management via NETCONF/YANG -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -* R-30278 The xNF provider **MUST** provide a Resource/Device YANG model - as a foundation for creating the YANG model for configuration. This will - include xNF attributes/parameters and valid values/attributes configurable - by policy. - -Configuration Management via Chef -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -* R-13390 The xNF provider **MUST** provide cookbooks to be loaded - on the appropriate Chef Server. -* R-18525 The xNF provider **MUST** provide a JSON file for each - supported action for the xNF. The JSON file must contain key value - pairs with all relevant values populated with sample data that illustrates - its usage. The fields and their description are defined in Tables A1 - and A2 in the Appendix. - - Note: Chef support in ONAP is not currently available and planned for 4Q 2017. - -Configuration Management via Ansible -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -* R-75608 The xNF provider **MUST** provide playbooks to be loaded - on the appropriate Ansible Server. -* R-16777 The xNF provider **MUST** provide a JSON file for each - supported action for the xNF. The JSON file must contain key value - pairs with all relevant values populated with sample data that illustrates - its usage. The fields and their description are defined in Table B1 - in the Appendix. - -* R-46567 The xNF Package **MUST** include configuration scripts - for boot sequence and configuration. -* R-16065 The xNF provider **MUST** provide configurable parameters - (if unable to conform to YANG model) including xNF attributes/parameters - and valid values, dynamic attributes and cross parameter dependencies - (e.g., customer provisioning data). - -Resource Control Loop -^^^^^^^^^^^^^^^^^^^^^^^ - -* R-22888 The xNF provider **MUST** provide documentation for the xNF - Policy Description to manage the xNF runtime lifecycle. The document - must include a description of how the policies (conditions and actions) - are implemented in the xNF. -* R-01556 The xNF Package **MUST** include documentation describing the - fault, performance, capacity events/alarms and other event records - that are made available by the xNF. -* R-16875 The xNF Package **MUST** include documentation which must include - a unique identification string for the specific xNF, a description of - the problem that caused the error, and steps or procedures to perform - Root Cause Analysis and resolve the issue. -* R-35960 The xNF Package **MUST** include documentation which must include - all events, severity level (e.g., informational, warning, error) and - descriptions including causes/fixes if applicable for the event. -* R-42018 The xNF Package **MUST** include documentation which must include - all events (fault, measurement for xNF Scaling, Syslogs, State Change - and Mobile Flow), that need to be collected at each VM, VNFC (defined in `VNF Guidelines <http://onap.readthedocs.io/en/latest/submodules/vnfrqts/guidelines.git/docs/vnf_guidelines/vnf_guidelines.html#a-glossary>`__ ) and for the overall xNF. -* R-27711 The xNF provider **MUST** provide an XML file that contains a - list of xNF error codes, descriptions of the error, and possible - causes/corrective action. -* R-01478 The xNF Package **MUST** include documentation describing all - parameters that are available to monitor the xNF after instantiation - (includes all counters, OIDs, PM data, KPIs, etc.) that must be - collected for reporting purposes. -* R-73560 The xNF Package **MUST** include documentation about monitoring - parameters/counters exposed for virtual resource management and xNF - application management. -* R-90632 The xNF Package **MUST** include documentation about KPIs and - metrics that need to be collected at each VM for capacity planning - and performance management purposes. -* R-86235 The xNF Package **MUST** include documentation about the monitoring - parameters that must include latencies, success rates, retry rates, load - and quality (e.g., DPM) for the key transactions/functions supported by - the xNF and those that must be exercised by the xNF in order to perform - its function. -* R-33904 The xNF Package **MUST** include documentation for each KPI, provide - lower and upper limits. -* R-53598 The xNF Package **MUST** include documentation to, when relevant, - provide a threshold crossing alert point for each KPI and describe the - significance of the threshold crossing. -* R-69877 The xNF Package **MUST** include documentation for each KPI, - identify the suggested actions that need to be performed when a - threshold crossing alert event is recorded. -* R-22680 The xNF Package **MUST** include documentation that describes - any requirements for the monitoring component of tools for Network - Cloud automation and management to provide these records to components - of the xNF. -* R-33694 The xNF Package **MUST** include documentation to when applicable, - provide calculators needed to convert raw data into appropriate reporting - artifacts. -* R-56815 The xNF Package **MUST** include documentation describing - supported xNF scaling capabilities and capacity limits (e.g., number - of users, bandwidth, throughput, concurrent calls). -* R-48596 The xNF Package **MUST** include documentation describing - the characteristics for the xNF reliability and high availability. -* R-74763 The xNF provider **MUST** provide an artifact per xNF that contains - all of the xNF Event Records supported. The artifact should include - reference to the specific release of the xNF Event Stream Common Event - Data Model document it is based on. (e.g., - `VES Event Listener <https://github.com/att/evel-test-collector/tree/master/docs/att_interface_definition>`__) - -Compute, Network, and Storage Requirements -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -* R-35851 The xNF Package **MUST** include xNF topology that describes - basic network and application connectivity internal and external to the - xNF including Link type, KPIs, Bandwidth, latency, jitter, QoS (if - applicable) for each interface. -* R-97102 The VNF Package **MUST** include VM requirements via a Heat - template that provides the necessary data for VM specifications - for all VNF components - for hypervisor, CPU, memory, storage. -* R-20204 The VNF Package **MUST** include VM requirements via a Heat - template that provides the necessary data for network connections, - interface connections, internal and external to VNF. -* R-44896 The VNF Package **MUST** include VM requirements via a Heat - template that provides the necessary data for high availability - redundancy model. -* R-55802 The VNF Package **MUST** include VM requirements via a Heat - template that provides the necessary data for scaling/growth VM - specifications. - - Note: Must comply with the *Heat requirements in 5.b*. - -* R-26881 The xNF provider **MUST** provide the binaries and images - needed to instantiate the xNF (xNF and VNFC images). -* R-96634 The xNF provider **MUST** describe scaling capabilities - to manage scaling characteristics of the xNF. - - -Testing -^^^^^^^^^^ - -* R-43958 The xNF Package **MUST** include documentation describing - the tests that were conducted by the xNF providor and the test results. -* R-04298 The xNF provider **MUST** provide their testing scripts to - support testing. -* R-58775 The xNF provider **MUST** provide software components that - can be packaged with/near the xNF, if needed, to simulate any functions - or systems that connect to the xNF system under test. This component is - necessary only if the existing testing environment does not have the - necessary simulators. - -Licensing Requirements -^^^^^^^^^^^^^^^^^^^^^^^ - -* R-85653 The xNF **MUST** provide metrics (e.g., number of sessions, - number of subscribers, number of seats, etc.) to ONAP for tracking - every license. -* R-44125 The xNF provider **MUST** agree to the process that can - be met by Service Provider reporting infrastructure. The Contract - shall define the reporting process and the available reporting tools. -* R-40827 The xNF provider **MUST** enumerate all of the open - source licenses their xNF(s) incorporate. -* R-97293 The xNF provider **MUST NOT** require audits of - Service Provider’s business. -* R-44569 The xNF provider **MUST NOT** require additional - infrastructure such as a xNF provider license server for xNF provider - functions and metrics. -* R-13613 The VNF **MUST** provide clear measurements for licensing - purposes to allow automated scale up/down by the management system. -* R-27511 The VNF provider **MUST** provide the ability to scale - up a VNF provider supplied product during growth and scale down a - VNF provider supplied product during decline without “real-time” - restrictions based upon VNF provider permissions. -* R-85991 The xNF provider **MUST** provide a universal license key - per xNF to be used as needed by services (i.e., not tied to a VM - instance) as the recommended solution. The xNF provider may provide - pools of Unique xNF License Keys, where there is a unique key for - each xNF instance as an alternate solution. Licensing issues should - be resolved without interrupting in-service xNFs. -* R-47849 The xNF provider **MUST** support the metadata about - licenses (and their applicable entitlements) as defined in this - document for xNF software, and any license keys required to authorize - use of the xNF software. This metadata will be used to facilitate - onboarding the xNF into the ONAP environment and automating processes - for putting the licenses into use and managing the full lifecycle of - the licenses. The details of this license model are described in - Tables C1 to C8 in the Appendix. Note: License metadata support in - ONAP is not currently available and planned for 1Q 2018. - Configuration Management ---------------------------------------------------- +------------------------ Controller Interactions With VNF ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -1306,546 +990,6 @@ Table 8. ONAP Controller APIs and NETCONF Commands | | | |results. | +-------------+--------------------+--------------------+--------------------+ -Monitoring & Management --------------------------------------------------- - -This section addresses data collection and event processing -functionality that is directly dependent on the interfaces -provided by the VNFs’ APIs. These can be in the form of asynchronous -interfaces for event, fault notifications, and autonomous data streams. -They can also be synchronous interfaces for on-demand requests to -retrieve various performance, usage, and other event information. - -The target direction for VNF interfaces is to employ APIs that are -implemented utilizing standardized messaging and modeling protocols -over standardized transports. Migrating to a virtualized environment -presents a tremendous opportunity to eliminate the need for proprietary -interfaces for VNF provider equipment while removing the traditional -boundaries between Network Management Systems and Element Management -Systems. Additionally, VNFs provide the ability to instrument the -networking applications by creating event records to test and monitor -end-to-end data flow through the network, similar to what physical or -virtual probes provide without the need to insert probes at various -points in the network. The VNF providers must be able to provide the -aforementioned set of required data directly to the ONAP collection -layer using standardized interfaces. - -Data Model for Event Records -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -This section describes the data model for the collection of telemetry -data from VNFs by Service Providers (SPs) to manage VNF health and -runtime lifecycle. This data model is referred to as the VNF Event -Streaming (VES) specifications. While this document is focused on -specifying some of the records from the ONAP perspective, there may -be other external bodies using the same framework to specify additional -records. For example, OPNFV has a VES project that is looking to specify -records for OpenStack’s internal telemetry to manage Application (VNFs), -physical and virtual infrastructure (compute, storage, network devices), -and virtual infrastructure managers (cloud controllers, SDN controllers). -Note that any configurable parameters for these data records (e.g., -frequency, granularity, policy-based configuration) will be managed -using the “Configuration” framework described in the prior sections -of this document. - -The Data Model consists of: - -- Common Header Record: This data structure precedes each of the - Technology Independent and Technology Specific records sections of - the data model. - -- Technology Independent Records: This version of the document - specifies the model for Fault, Heartbeat, State Change, Syslog, - Threshold Crossing Alerts, and VNF Scaling* (short for - measurementForVfScalingFields – actual name used in JSON - specification) records. In the future, these may be extended to - support other types of technology independent records. Each of - these records allows additional fields (name/ value pairs) for - extensibility. The VNF provider can use these VNF Provider-specific - additional fields to provide additional information that may be - relevant to the managing systems. - -- Technology Specific Records: This version of the document specifies - the model for Mobile Flow records, Signaling and Voice Quality records. - In the future, these may be extended to support other types of records - (e.g. Network Fabric, Security records, etc.). Each of these records - allows additional fields (name/value pairs) for extensibility. The VNF - providers can use these VNF-specific additional fields to provide - additional information that may be relevant to the managing systems. - A placeholder for additional technology specific areas of interest to - be defined in the future documents has been depicted. - -|image0| - -Figure 1. Data Model for Event Records - -Event Records - Data Structure Description -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -The data structure for event records consists of: - -- a Common Event Header block; - -- zero or more technology independent domain blocks; and - - - e.g., Fault domain, State Change domain, Syslog domain, etc. - -- zero or more technology specific domain blocks. - - - e.g., Mobile Flow domain, Signaling domain, Voice Quality domain, - etc. - -Common Event Header -~~~~~~~~~~~~~~~~~~~~~ - -The common header that precedes any of the domain-specific records contains -information identifying the type of record to follow, information about -the sender and other identifying characteristics related to timestamp, -sequence number, etc. - -Technology Independent Records – Fault Fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The Fault Record, describing a condition in the Fault domain, contains -information about the fault such as the entity under fault, the -severity, resulting status, etc. - -Technology Independent Records – Heartbeat Fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The Heartbeat Record provides an optional structure for communicating -information about heartbeat or watchdog signaling events. It can -contain information about service intervals, status information etc. -as required by the heartbeat implementation. - -Note: Heartbeat records would only have the Common Event Header block. -An optional heartbeat domain is available if required by the heartbeat -implementation. - -Technology Independent Records – State Change Fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The State Change Record provides a structure for communicating information -about data flow through the VNF. It can contain information about state -change related to physical device that is reported by VNF. As an example, -when cards or port name of the entity that has changed state. - -Technology Independent Records – Syslog Fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The Syslog Record provides a structure for communicating any type of -information that may be logged by the VNF. It can contain information -about system internal events, status, errors, etc. - -Technology Independent Records – Threshold Crossing Alert Fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The Threshold Crossing Alert (TCA) Record provides a structure for -communicating information about threshold crossing alerts. It can -contain alert definitions and types, actions, events, timestamps -and physical or logical details. - -Technology Independent Records - VNF Scaling Fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The VNF Scaling\* (short for measurementForVfScalingFields – -actual name used in JSON specification) Record contains information -about VNF and VNF resource structure and its condition to help in -the management of the resources for purposes of elastic scaling. - -Technology Independent Records – otherFields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The otherFields Record defines fields for events belonging to the -otherFields domain of the Technology Independent domain enumeration. -This record provides a mechanism to convey a complex set of fields -(possibly nested or opaque) and is purely intended to address -miscellaneous needs such as addressing time-to-market considerations -or other proof-of-concept evaluations. Hence, use of this record -type is discouraged and should be minimized. - -Technology Specific Records – Mobile Flow Fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The Mobile Flow Record provides a structure for communicating -information about data flow through the VNF. It can contain -information about connectivity and data flows between serving -elements for mobile service, such as between LTE reference points, etc. - -Technology Specific Records – Signaling Fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The Signaling Record provides a structure for communicating information -about signaling messages, parameters and signaling state. It can -contain information about data flows for signaling and controlling -multimedia communication sessions such as voice and video calls. - -Technology Specific Records – Voice Quality Fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -The Voice Quality Record provides a structure for communicating information -about voice quality statistics including media connection information, -such as transmitted octet and packet counts, packet loss, packet delay -variation, round-trip delay, QoS parameters and codec selection. - -Technology Specific Records – Future Domains -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The futureDomains Record is a placeholder for additional technology -specific areas of interest that will be defined and described -in the future documents. - -Data Structure Specification of the Event Record -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -For additional information on the event record formats of the data -structures mentioned above, please refer to `VES Event -Listener <https://github.com/att/evel-test-collector/tree/master/docs/att_interface_definition>`__. - -Transports and Protocols Supporting Resource Interfaces -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Delivery of data from VNFs to ONAP must use the common transport -mechanisms and protocols for all VNFs as defined in this document. -Transport mechanisms and protocols have been selected to enable both -high volume and moderate volume datasets, as well as asynchronous and -synchronous communications over secure connections. The specified -encoding provides self-documenting content, so data fields can be -changed as needs evolve, while minimizing changes to data delivery. - -The term ‘Event Record’ is used throughout this document to represent -various forms of telemetry or instrumentation made available by the -VNF including, faults, status events, various other types of VNF -measurements and logs. Headers received by themselves must be used -as heartbeat indicators. Common structures and delivery protocols for -other types of data will be given in future versions of this document -as we get more insight into data volumes and required processing. - -In the following sections, we provide options for encoding, serialization -and data delivery. Agreements between Service Providers and VNF providers -shall determine which encoding, serialization and delivery method to use -for particular data sets. The selected methods must be agreed to prior to -the on-boarding of the VNF into ONAP design studio. - -VNF Telemetry using VES/JSON Model -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The preferred model for data delivery from a VNF to ONAP DCAE is -the JSON driven model as depicted in Figure 2. - -|image1| - -Figure 2. VES/JSON Driven Model - -VNF providers will provide a YAML artifact to the Service Provider -that describes: - -* standard VES/JSON model information elements (key/values) that - the VNF provides -* any additional non-standard (custom) VES/JSON model information - elements (key/values) that the VNF provides - -Using the semantics and syntax supported by YAML, VNF providers -will indicate specific conditions that may arise, and recommend -actions that should be taken at specific thresholds, or if specific -conditions repeat within a specified time interval. - -Based on the VNF provider's recommendations, the Service Provider may -create additional YAML artifacts (using ONAP design Studio), which -finalizes Service Provider engineering rules for the processing of -the VNF events. The Service Provider may alter the threshold levels -recommended by the VNF providor, and may modify and more clearly -specify actions that should be taken when specified conditions arise. -The Service Provider-created version of the YAML artifact will be -distributed to ONAP applications by the Design framework. - -VNF Telemetry using YANG Model -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -In addition to the JSON driven model described above, a YANG -driven model can also be supported, as depicted in Figure 3. - -|image2| - -Figure 3. YANG Driven Model - -VNF providers will provide to the Service Provider the following -YANG model artifacts: - -* common IETF YANG modules that support the VNF -* native (VNF provider-supplied) YANG modules that support the VNF -* open (OpenConfig) YANG modules and the following - configuration-related information, including: - - * telemetry configuration and operational state data; such as: - - * sensor paths - * subscription bindings - * path destinations - * delivery frequency - * transport mechanisms - * data encodings - -* a YAML artifact that provides all necessary mapping relationships - between YANG model data types to VES/JSON information elements -* YANG helper or decoder functions that automate the conversion between - YANG model data types to VES/JSON information elements -* OPTIONAL: YANG Telemetry modules in JSON format per RFC 7951 - -Using the semantics and syntax supported by YANG, VNF providers -will indicate specific conditions that may arise, and recommend -actions that should be taken at specific thresholds, or if specific -conditions repeat within a specified time interval. - -Based on the VNF provider's recommendations, the Service Provider may -create additional YAML artifacts (using ONAP design Studio), which -finalizes Service Provider engineering rules for the processing of the -VNF events. The Service Provider may alter the threshold levels recommended -by the VNF provider, and may modify and more clearly specify actions that -should be taken when specified conditions arise. The Service -Provided-created version of the YAML will be distributed to ONAP -applications by the Design framework. - -Note: While supporting the YANG model described above, we are still -leveraging the VES JSON based model in DCAE. The purpose of the -diagram above is to illustrate the concept only and not to imply a -specific implementation. - -VNF Telemetry using Google Protocol Buffers -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -In addition to the data delivery models described above, support for -delivery of VNF telemetry using Google Protocol Buffers (GPB) can -also be supported, as depicted in Figure 4. - -VNF providers will provide to the Service Provider the additional -following artifacts to support the delivery of VNF telemetry to DCAE -via the open-source gRPC mechanism using Google's Protocol Buffers: - -* the YANG model artifacts described in support of the - "VNF Telemetry using YANG Model" -* valid definition file(s) for all GPB / KV-GPB encoded messages -* valid definition file(s) for all gRPC services -* gRPC method parameters and return types specified as Protocol - Buffers messages - -|image3| - -Figure 4. Protocol Buffers Driven Model - -Note: if Google Protocol Buffers are employed for delivery of VNF -telemetry, Key-Value Google Protocol Buffers (KV-GPB) is the -preferred serialization method. Details of specifications and -versioning corresponding to a release can be found at: -`VES Event Listener <https://github.com/att/evel-test-collector/tree/master/docs/att_interface_definition>`__. - -Note: While supporting the VNF telemetry delivery approach described above, -we are still leveraging the VES JSON based model in DCAE. The purpose of -the diagram above is to illustrate the concept only and not to imply a -specific implementation. - -Monitoring & Management Requirements -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -VNF telemetry via standardized interface -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -* R-51910 The xNF **MUST** provide all telemetry (e.g., fault event - records, syslog records, performance records etc.) to ONAP using the - model, format and mechanisms described in this section. - -Encoding and Serialization -~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Content delivered from VNFs to ONAP is to be encoded and serialized using JSON: - -JSON -~~~~~~~~~~~~~~~~~~ - -* R-19624 The xNF **MUST** encode and serialize content delivered to - ONAP using JSON (RFC 7159) plain text format. High-volume data - is to be encoded and serialized using `Avro <http://avro.apache.org/>`_, where the Avro [5]_ data format are described using JSON. - - Note: - - - JSON plain text format is preferred for moderate volume data sets - (option 1), as JSON has the advantage of having well-understood simple - processing and being human-readable without additional decoding. Examples - of moderate volume data sets include the fault alarms and performance - alerts, heartbeat messages, measurements used for xNF scaling and syslogs. - - Binary format using Avro is preferred for high volume data sets - (option 2) such as mobility flow measurements and other high-volume - streaming events (such as mobility signaling events or SIP signaling) - or bulk data, as this will significantly reduce the volume of data - to be transmitted. As of the date of this document, all events are - reported using plain text JSON and REST. - - Avro content is self-documented, using a JSON schema. The JSON schema is - delivered along with the data content - (http://avro.apache.org/docs/current/ ). This means the presence and - position of data fields can be recognized automatically, as well as the - data format, definition and other attributes. Avro content can be - serialized as JSON tagged text or as binary. In binary format, the - JSON schema is included as a separate data block, so the content is - not tagged, further compressing the volume. For streaming data, Avro - will read the schema when the stream is established and apply the - schema to the received content. - -In addition to the preferred method (JSON), content can be delivered -from xNFs to ONAP can be encoded and serialized using Google Protocol -Buffers (GPB). - -KV-GPB/GPB -~~~~~~~~~~~~~~~~~~ - -Telemetry data delivered using Google Protocol Buffers v3 (proto3) -can be serialized in one of the following methods: - -* Key-value Google Protocol Buffers (KV-GPB) is also known as - self-describing GPB: - - * keys are strings that correspond to the path of the system - resources for the VNF being monitored. - * values correspond to integers or strings that identify the - operational state of the VNF resource, such a statistics counters - and the state of a VNF resource. - -* VNF providers must supply valid KV-GPB definition file(s) to allow - for the decoding of all KV-GPB encoded telemetry messages. - -* Native Google Protocol Buffers (GPB) is also known as compact GPB: - - * keys are represented as integers pointing to the system resources for - the VNF being monitored. - * values correspond to integers or strings that identify the operational - state of the VNF resource, such a statistics counters and the state - of a VNF resource. - -* Google Protocol Buffers (GPB) requires metadata in the form of .proto - files. VNF providers must supply the necessary GPB .proto files such that - GPB telemetry messages can be encoded and decoded. - -* In the future, we may consider support for other types of - encoding & serialization methods based on industry demand. - - -Reporting Frequency -~~~~~~~~~~~~~~~~~~~~~ - -* R-98191 The xNF **MUST** vary the frequency that asynchronous data - is delivered based on the content and how data may be aggregated or - grouped together. - - Note: - - - For example, alarms and alerts are expected to be delivered as - soon as they appear. In contrast, other content, such as - performance measurements, KPIs or reported network signaling may have - various ways of packaging and delivering content. Some content should - be streamed immediately; or content may be monitored over a time interval, - then packaged as collection of records and delivered as block; or data - may be collected until a package of a certain size has been collected; - or content may be summarized statistically over a time interval, or - computed as a KPI, with the summary or KPI being delivered. - - We expect the reporting frequency to be configurable depending - on the virtual network function’s needs for management. For example, - Service Provider may choose to vary the frequency of collection between - normal and trouble-shooting scenarios. - - Decisions about the frequency of data reporting will affect the - size of delivered data sets, recommended delivery method, and how the - data will be interpreted by ONAP. These considerations should not - affect deserialization and decoding of the data, which will be guided - by the accompanying JSON schema or GPB definition files. - -Addressing and Delivery Protocol -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -ONAP destinations can be addressed by URLs for RESTful data PUT. Future -data sets may also be addressed by host name and port number for TCP -streaming, or by host name and landing zone directory for SFTP transfer -of bulk files. - -* R-88482 The xNF **SHOULD** use REST using HTTPS delivery of plain - text JSON for moderate sized asynchronous data sets, and for high - volume data sets when feasible. -* R-84879 The xNF **MUST** have the capability of maintaining a primary - and backup DNS name (URL) for connecting to ONAP collectors, with the - ability to switch between addresses based on conditions defined by policy - such as time-outs, and buffering to store messages until they can be - delivered. At its discretion, the service provider may choose to populate - only one collector address for a xNF. In this case, the network will - promptly resolve connectivity problems caused by a collector or network - failure transparently to the xNF. -* R-81777 The xNF **MUST** be configured with initial address(es) to use - at deployment time. Subsequently, address(es) may be changed through - ONAP-defined policies delivered from ONAP to the xNF using PUTs to a - RESTful API, in the same manner that other controls over data reporting - will be controlled by policy. -* R-08312 The xNF **MAY** use another option which is expected to include REST - delivery of binary encoded data sets. -* R-79412 The xNF **MAY** use another option which is expected to include TCP - for high volume streaming asynchronous data sets and for other high volume - data sets. TCP delivery can be used for either JSON or binary encoded data - sets. -* R-01033 The xNF **MAY** use another option which is expected to include SFTP - for asynchronous bulk files, such as bulk files that contain large volumes of - data collected over a long time interval or data collected across many xNFs. - (Preferred is to reorganize the data into more frequent or more focused data - sets, and deliver these by REST or TCP as appropriate.) -* R-63229 The xNF **MAY** use another option which is expected to include REST - for synchronous data, using RESTCONF (e.g., for xNF state polling). -* R-03070 The xNF **MUST**, by ONAP Policy, provide the ONAP addresses - as data destinations for each xNF, and may be changed by Policy while - the xNF is in operation. We expect the xNF to be capable of redirecting - traffic to changed destinations with no loss of data, for example from - one REST URL to another, or from one TCP host and port to another. - -Asynchronous and Synchronous Data Delivery -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -* R-06924 The xNF **MUST** deliver asynchronous data as data becomes - available, or according to the configured frequency. -* R-73285 The xNF **MUST** must encode, address and deliver the data - as described in the previous paragraphs. -* R-42140 The xNF **MUST** respond to data requests from ONAP as soon - as those requests are received, as a synchronous response. -* R-34660 The xNF **MUST** use the RESTCONF/NETCONF framework used by - the ONAP configuration subsystem for synchronous communication. -* R-86586 The xNF **MUST** use the YANG configuration models and RESTCONF - [RFC8040] (https://tools.ietf.org/html/rfc8040). -* R-11240 The xNF **MUST** respond with content encoded in JSON, as - described in the RESTCONF specification. This way the encoding of a - synchronous communication will be consistent with Avro. -* R-70266 The xNF **MUST** respond to an ONAP request to deliver the - current data for any of the record types defined in - `Event Records - Data Structure Description`_ by returning the requested - record, populated with the current field values. (Currently the defined - record types include fault fields, mobile flow fields, measurements for - xNF scaling fields, and syslog fields. Other record types will be added - in the future as they become standardized and are made available.) -* R-46290 The xNF **MUST** respond to an ONAP request to deliver granular - data on device or subsystem status or performance, referencing the YANG - configuration model for the xNF by returning the requested data elements. -* R-43327 The xNF **SHOULD** use `Modeling JSON text with YANG - <https://tools.ietf.org/html/rfc7951>`_, If YANG models need to be - translated to and from JSON{RFC7951]. YANG configuration and content can - be represented via JSON, consistent with Avro, as described in “Encoding - and Serialization” section. - -Security -~~~~~~~~~~ - -* R-42366 The xNF **MUST** support secure connections and transports such as - Transport Layer Security (TLS) protocol - [`RFC5246 <https://tools.ietf.org/html/rfc5246>`_] and should adhere to - the best current practices outlined in - `RFC7525 <https://tools.ietf.org/html/rfc7525>`_. -* R-44290 The xNF **MUST** control access to ONAP and to xNFs, and creation - of connections, through secure credentials, log-on and exchange mechanisms. -* R-47597 The xNF **MUST** carry data in motion only over secure connections. -* R-68165 The xNF **MUST** encrypt any content containing Sensitive Personal - Information (SPI) or certain proprietary data, in addition to applying the - regular procedures for securing access and delivery. - - .. [1] https://github.com/mbj4668/pyang @@ -1860,15 +1004,10 @@ Security .. [4] Multiple ONAP actions may map to one playbook. -.. [5] - This option is not currently supported in ONAP and it is currently - under consideration. - .. |image0| image:: Data_Model_For_Event_Records.png :width: 7in :height: 8in - .. |image1| image:: VES_JSON_Driven_Model.png :width: 5in :height: 3in diff --git a/docs/Chapter7/Monitoring-And-Management.rst b/docs/Chapter7/Monitoring-And-Management.rst new file mode 100644 index 0000000..a54671f --- /dev/null +++ b/docs/Chapter7/Monitoring-And-Management.rst @@ -0,0 +1,563 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2017 AT&T Intellectual Property. All rights reserved. + +Monitoring & Management +----------------------- + +This section addresses data collection and event processing +functionality that is directly dependent on the interfaces +provided by the VNFs’ APIs. These can be in the form of asynchronous +interfaces for event, fault notifications, and autonomous data streams. +They can also be synchronous interfaces for on-demand requests to +retrieve various performance, usage, and other event information. + +The target direction for VNF interfaces is to employ APIs that are +implemented utilizing standardized messaging and modeling protocols +over standardized transports. Migrating to a virtualized environment +presents a tremendous opportunity to eliminate the need for proprietary +interfaces for VNF provider equipment while removing the traditional +boundaries between Network Management Systems and Element Management +Systems. Additionally, VNFs provide the ability to instrument the +networking applications by creating event records to test and monitor +end-to-end data flow through the network, similar to what physical or +virtual probes provide without the need to insert probes at various +points in the network. The VNF providers must be able to provide the +aforementioned set of required data directly to the ONAP collection +layer using standardized interfaces. + +Data Model for Event Records +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This section describes the data model for the collection of telemetry +data from VNFs by Service Providers (SPs) to manage VNF health and +runtime lifecycle. This data model is referred to as the VNF Event +Streaming (VES) specifications. While this document is focused on +specifying some of the records from the ONAP perspective, there may +be other external bodies using the same framework to specify additional +records. For example, OPNFV has a VES project that is looking to specify +records for OpenStack’s internal telemetry to manage Application (VNFs), +physical and virtual infrastructure (compute, storage, network devices), +and virtual infrastructure managers (cloud controllers, SDN controllers). +Note that any configurable parameters for these data records (e.g., +frequency, granularity, policy-based configuration) will be managed +using the “Configuration” framework described in the prior sections +of this document. + +The Data Model consists of: + +- Common Header Record: This data structure precedes each of the + Technology Independent and Technology Specific records sections of + the data model. + +- Technology Independent Records: This version of the document + specifies the model for Fault, Heartbeat, State Change, Syslog, + Threshold Crossing Alerts, and VNF Scaling* (short for + measurementForVfScalingFields – actual name used in JSON + specification) records. In the future, these may be extended to + support other types of technology independent records. Each of + these records allows additional fields (name/ value pairs) for + extensibility. The VNF provider can use these VNF Provider-specific + additional fields to provide additional information that may be + relevant to the managing systems. + +- Technology Specific Records: This version of the document specifies + the model for Mobile Flow records, Signaling and Voice Quality records. + In the future, these may be extended to support other types of records + (e.g. Network Fabric, Security records, etc.). Each of these records + allows additional fields (name/value pairs) for extensibility. The VNF + providers can use these VNF-specific additional fields to provide + additional information that may be relevant to the managing systems. + A placeholder for additional technology specific areas of interest to + be defined in the future documents has been depicted. + +|image0| + +Figure 1. Data Model for Event Records + +Event Records - Data Structure Description +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The data structure for event records consists of: + +- a Common Event Header block; + +- zero or more technology independent domain blocks; and + + - e.g., Fault domain, State Change domain, Syslog domain, etc. + +- zero or more technology specific domain blocks. + + - e.g., Mobile Flow domain, Signaling domain, Voice Quality domain, + etc. + +Common Event Header +~~~~~~~~~~~~~~~~~~~~~ + +The common header that precedes any of the domain-specific records contains +information identifying the type of record to follow, information about +the sender and other identifying characteristics related to timestamp, +sequence number, etc. + +Technology Independent Records – Fault Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Fault Record, describing a condition in the Fault domain, contains +information about the fault such as the entity under fault, the +severity, resulting status, etc. + +Technology Independent Records – Heartbeat Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Heartbeat Record provides an optional structure for communicating +information about heartbeat or watchdog signaling events. It can +contain information about service intervals, status information etc. +as required by the heartbeat implementation. + +Note: Heartbeat records would only have the Common Event Header block. +An optional heartbeat domain is available if required by the heartbeat +implementation. + +Technology Independent Records – State Change Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The State Change Record provides a structure for communicating information +about data flow through the VNF. It can contain information about state +change related to physical device that is reported by VNF. As an example, +when cards or port name of the entity that has changed state. + +Technology Independent Records – Syslog Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Syslog Record provides a structure for communicating any type of +information that may be logged by the VNF. It can contain information +about system internal events, status, errors, etc. + +Technology Independent Records – Threshold Crossing Alert Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Threshold Crossing Alert (TCA) Record provides a structure for +communicating information about threshold crossing alerts. It can +contain alert definitions and types, actions, events, timestamps +and physical or logical details. + +Technology Independent Records - VNF Scaling Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The VNF Scaling\* (short for measurementForVfScalingFields – +actual name used in JSON specification) Record contains information +about VNF and VNF resource structure and its condition to help in +the management of the resources for purposes of elastic scaling. + +Technology Independent Records – otherFields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The otherFields Record defines fields for events belonging to the +otherFields domain of the Technology Independent domain enumeration. +This record provides a mechanism to convey a complex set of fields +(possibly nested or opaque) and is purely intended to address +miscellaneous needs such as addressing time-to-market considerations +or other proof-of-concept evaluations. Hence, use of this record +type is discouraged and should be minimized. + +Technology Specific Records – Mobile Flow Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Mobile Flow Record provides a structure for communicating +information about data flow through the VNF. It can contain +information about connectivity and data flows between serving +elements for mobile service, such as between LTE reference points, etc. + +Technology Specific Records – Signaling Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Signaling Record provides a structure for communicating information +about signaling messages, parameters and signaling state. It can +contain information about data flows for signaling and controlling +multimedia communication sessions such as voice and video calls. + +Technology Specific Records – Voice Quality Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +The Voice Quality Record provides a structure for communicating information +about voice quality statistics including media connection information, +such as transmitted octet and packet counts, packet loss, packet delay +variation, round-trip delay, QoS parameters and codec selection. + +Technology Specific Records – Future Domains +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The futureDomains Record is a placeholder for additional technology +specific areas of interest that will be defined and described +in the future documents. + +Data Structure Specification of the Event Record +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +For additional information on the event record formats of the data +structures mentioned above, please refer to `VES Event +Listener <https://github.com/att/evel-test-collector/tree/master/docs/att_interface_definition>`__. + +Transports and Protocols Supporting Resource Interfaces +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Delivery of data from VNFs to ONAP must use the common transport +mechanisms and protocols for all VNFs as defined in this document. +Transport mechanisms and protocols have been selected to enable both +high volume and moderate volume datasets, as well as asynchronous and +synchronous communications over secure connections. The specified +encoding provides self-documenting content, so data fields can be +changed as needs evolve, while minimizing changes to data delivery. + +The term ‘Event Record’ is used throughout this document to represent +various forms of telemetry or instrumentation made available by the +VNF including, faults, status events, various other types of VNF +measurements and logs. Headers received by themselves must be used +as heartbeat indicators. Common structures and delivery protocols for +other types of data will be given in future versions of this document +as we get more insight into data volumes and required processing. + +In the following sections, we provide options for encoding, serialization +and data delivery. Agreements between Service Providers and VNF providers +shall determine which encoding, serialization and delivery method to use +for particular data sets. The selected methods must be agreed to prior to +the on-boarding of the VNF into ONAP design studio. + +VNF Telemetry using VES/JSON Model +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The preferred model for data delivery from a VNF to ONAP DCAE is +the JSON driven model as depicted in Figure 2. + +|image1| + +Figure 2. VES/JSON Driven Model + +VNF providers will provide a YAML artifact to the Service Provider +that describes: + +* standard VES/JSON model information elements (key/values) that + the VNF provides +* any additional non-standard (custom) VES/JSON model information + elements (key/values) that the VNF provides + +Using the semantics and syntax supported by YAML, VNF providers +will indicate specific conditions that may arise, and recommend +actions that should be taken at specific thresholds, or if specific +conditions repeat within a specified time interval. + +Based on the VNF provider's recommendations, the Service Provider may +create additional YAML artifacts (using ONAP design Studio), which +finalizes Service Provider engineering rules for the processing of +the VNF events. The Service Provider may alter the threshold levels +recommended by the VNF providor, and may modify and more clearly +specify actions that should be taken when specified conditions arise. +The Service Provider-created version of the YAML artifact will be +distributed to ONAP applications by the Design framework. + +VNF Telemetry using YANG Model +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In addition to the JSON driven model described above, a YANG +driven model can also be supported, as depicted in Figure 3. + +|image2| + +Figure 3. YANG Driven Model + +VNF providers will provide to the Service Provider the following +YANG model artifacts: + +* common IETF YANG modules that support the VNF +* native (VNF provider-supplied) YANG modules that support the VNF +* open (OpenConfig) YANG modules and the following + configuration-related information, including: + + * telemetry configuration and operational state data; such as: + + * sensor paths + * subscription bindings + * path destinations + * delivery frequency + * transport mechanisms + * data encodings + +* a YAML artifact that provides all necessary mapping relationships + between YANG model data types to VES/JSON information elements +* YANG helper or decoder functions that automate the conversion between + YANG model data types to VES/JSON information elements +* OPTIONAL: YANG Telemetry modules in JSON format per RFC 7951 + +Using the semantics and syntax supported by YANG, VNF providers +will indicate specific conditions that may arise, and recommend +actions that should be taken at specific thresholds, or if specific +conditions repeat within a specified time interval. + +Based on the VNF provider's recommendations, the Service Provider may +create additional YAML artifacts (using ONAP design Studio), which +finalizes Service Provider engineering rules for the processing of the +VNF events. The Service Provider may alter the threshold levels recommended +by the VNF provider, and may modify and more clearly specify actions that +should be taken when specified conditions arise. The Service +Provided-created version of the YAML will be distributed to ONAP +applications by the Design framework. + +Note: While supporting the YANG model described above, we are still +leveraging the VES JSON based model in DCAE. The purpose of the +diagram above is to illustrate the concept only and not to imply a +specific implementation. + +VNF Telemetry using Google Protocol Buffers +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In addition to the data delivery models described above, support for +delivery of VNF telemetry using Google Protocol Buffers (GPB) can +also be supported, as depicted in Figure 4. + +VNF providers will provide to the Service Provider the additional +following artifacts to support the delivery of VNF telemetry to DCAE +via the open-source gRPC mechanism using Google's Protocol Buffers: + +* the YANG model artifacts described in support of the + "VNF Telemetry using YANG Model" +* valid definition file(s) for all GPB / KV-GPB encoded messages +* valid definition file(s) for all gRPC services +* gRPC method parameters and return types specified as Protocol + Buffers messages + +|image3| + +Figure 4. Protocol Buffers Driven Model + +Note: if Google Protocol Buffers are employed for delivery of VNF +telemetry, Key-Value Google Protocol Buffers (KV-GPB) is the +preferred serialization method. Details of specifications and +versioning corresponding to a release can be found at: +`VES Event Listener <https://github.com/att/evel-test-collector/tree/master/docs/att_interface_definition>`__. + +Note: While supporting the VNF telemetry delivery approach described above, +we are still leveraging the VES JSON based model in DCAE. The purpose of +the diagram above is to illustrate the concept only and not to imply a +specific implementation. + +Monitoring & Management Requirements +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +VNF telemetry via standardized interface +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* R-51910 The xNF **MUST** provide all telemetry (e.g., fault event + records, syslog records, performance records etc.) to ONAP using the + model, format and mechanisms described in this section. + +Encoding and Serialization +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Content delivered from VNFs to ONAP is to be encoded and serialized using JSON: + +JSON +~~~~~~~~~~~~~~~~~~ + +* R-19624 The xNF **MUST** encode and serialize content delivered to + ONAP using JSON (RFC 7159) plain text format. High-volume data + is to be encoded and serialized using `Avro <http://avro.apache.org/>`_, where the Avro [1]_ data format are described using JSON. + + Note: + + - JSON plain text format is preferred for moderate volume data sets + (option 1), as JSON has the advantage of having well-understood simple + processing and being human-readable without additional decoding. Examples + of moderate volume data sets include the fault alarms and performance + alerts, heartbeat messages, measurements used for xNF scaling and syslogs. + - Binary format using Avro is preferred for high volume data sets + (option 2) such as mobility flow measurements and other high-volume + streaming events (such as mobility signaling events or SIP signaling) + or bulk data, as this will significantly reduce the volume of data + to be transmitted. As of the date of this document, all events are + reported using plain text JSON and REST. + - Avro content is self-documented, using a JSON schema. The JSON schema is + delivered along with the data content + (http://avro.apache.org/docs/current/ ). This means the presence and + position of data fields can be recognized automatically, as well as the + data format, definition and other attributes. Avro content can be + serialized as JSON tagged text or as binary. In binary format, the + JSON schema is included as a separate data block, so the content is + not tagged, further compressing the volume. For streaming data, Avro + will read the schema when the stream is established and apply the + schema to the received content. + +In addition to the preferred method (JSON), content can be delivered +from xNFs to ONAP can be encoded and serialized using Google Protocol +Buffers (GPB). + +KV-GPB/GPB +~~~~~~~~~~~~~~~~~~ + +Telemetry data delivered using Google Protocol Buffers v3 (proto3) +can be serialized in one of the following methods: + +* Key-value Google Protocol Buffers (KV-GPB) is also known as + self-describing GPB: + + * keys are strings that correspond to the path of the system + resources for the VNF being monitored. + * values correspond to integers or strings that identify the + operational state of the VNF resource, such a statistics counters + and the state of a VNF resource. + +* VNF providers must supply valid KV-GPB definition file(s) to allow + for the decoding of all KV-GPB encoded telemetry messages. + +* Native Google Protocol Buffers (GPB) is also known as compact GPB: + + * keys are represented as integers pointing to the system resources for + the VNF being monitored. + * values correspond to integers or strings that identify the operational + state of the VNF resource, such a statistics counters and the state + of a VNF resource. + +* Google Protocol Buffers (GPB) requires metadata in the form of .proto + files. VNF providers must supply the necessary GPB .proto files such that + GPB telemetry messages can be encoded and decoded. + +* In the future, we may consider support for other types of + encoding & serialization methods based on industry demand. + + +Reporting Frequency +~~~~~~~~~~~~~~~~~~~~~ + +* R-98191 The xNF **MUST** vary the frequency that asynchronous data + is delivered based on the content and how data may be aggregated or + grouped together. + + Note: + + - For example, alarms and alerts are expected to be delivered as + soon as they appear. In contrast, other content, such as + performance measurements, KPIs or reported network signaling may have + various ways of packaging and delivering content. Some content should + be streamed immediately; or content may be monitored over a time interval, + then packaged as collection of records and delivered as block; or data + may be collected until a package of a certain size has been collected; + or content may be summarized statistically over a time interval, or + computed as a KPI, with the summary or KPI being delivered. + - We expect the reporting frequency to be configurable depending + on the virtual network function’s needs for management. For example, + Service Provider may choose to vary the frequency of collection between + normal and trouble-shooting scenarios. + - Decisions about the frequency of data reporting will affect the + size of delivered data sets, recommended delivery method, and how the + data will be interpreted by ONAP. These considerations should not + affect deserialization and decoding of the data, which will be guided + by the accompanying JSON schema or GPB definition files. + +Addressing and Delivery Protocol +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +ONAP destinations can be addressed by URLs for RESTful data PUT. Future +data sets may also be addressed by host name and port number for TCP +streaming, or by host name and landing zone directory for SFTP transfer +of bulk files. + +* R-88482 The xNF **SHOULD** use REST using HTTPS delivery of plain + text JSON for moderate sized asynchronous data sets, and for high + volume data sets when feasible. +* R-84879 The xNF **MUST** have the capability of maintaining a primary + and backup DNS name (URL) for connecting to ONAP collectors, with the + ability to switch between addresses based on conditions defined by policy + such as time-outs, and buffering to store messages until they can be + delivered. At its discretion, the service provider may choose to populate + only one collector address for a xNF. In this case, the network will + promptly resolve connectivity problems caused by a collector or network + failure transparently to the xNF. +* R-81777 The xNF **MUST** be configured with initial address(es) to use + at deployment time. Subsequently, address(es) may be changed through + ONAP-defined policies delivered from ONAP to the xNF using PUTs to a + RESTful API, in the same manner that other controls over data reporting + will be controlled by policy. +* R-08312 The xNF **MAY** use another option which is expected to include REST + delivery of binary encoded data sets. +* R-79412 The xNF **MAY** use another option which is expected to include TCP + for high volume streaming asynchronous data sets and for other high volume + data sets. TCP delivery can be used for either JSON or binary encoded data + sets. +* R-01033 The xNF **MAY** use another option which is expected to include SFTP + for asynchronous bulk files, such as bulk files that contain large volumes of + data collected over a long time interval or data collected across many xNFs. + (Preferred is to reorganize the data into more frequent or more focused data + sets, and deliver these by REST or TCP as appropriate.) +* R-63229 The xNF **MAY** use another option which is expected to include REST + for synchronous data, using RESTCONF (e.g., for xNF state polling). +* R-03070 The xNF **MUST**, by ONAP Policy, provide the ONAP addresses + as data destinations for each xNF, and may be changed by Policy while + the xNF is in operation. We expect the xNF to be capable of redirecting + traffic to changed destinations with no loss of data, for example from + one REST URL to another, or from one TCP host and port to another. + +Asynchronous and Synchronous Data Delivery +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* R-06924 The xNF **MUST** deliver asynchronous data as data becomes + available, or according to the configured frequency. +* R-73285 The xNF **MUST** must encode, address and deliver the data + as described in the previous paragraphs. +* R-42140 The xNF **MUST** respond to data requests from ONAP as soon + as those requests are received, as a synchronous response. +* R-34660 The xNF **MUST** use the RESTCONF/NETCONF framework used by + the ONAP configuration subsystem for synchronous communication. +* R-86586 The xNF **MUST** use the YANG configuration models and RESTCONF + [RFC8040] (https://tools.ietf.org/html/rfc8040). +* R-11240 The xNF **MUST** respond with content encoded in JSON, as + described in the RESTCONF specification. This way the encoding of a + synchronous communication will be consistent with Avro. +* R-70266 The xNF **MUST** respond to an ONAP request to deliver the + current data for any of the record types defined in + `Event Records - Data Structure Description`_ by returning the requested + record, populated with the current field values. (Currently the defined + record types include fault fields, mobile flow fields, measurements for + xNF scaling fields, and syslog fields. Other record types will be added + in the future as they become standardized and are made available.) +* R-46290 The xNF **MUST** respond to an ONAP request to deliver granular + data on device or subsystem status or performance, referencing the YANG + configuration model for the xNF by returning the requested data elements. +* R-43327 The xNF **SHOULD** use `Modeling JSON text with YANG + <https://tools.ietf.org/html/rfc7951>`_, If YANG models need to be + translated to and from JSON{RFC7951]. YANG configuration and content can + be represented via JSON, consistent with Avro, as described in “Encoding + and Serialization” section. + +Security +~~~~~~~~~~ + +* R-42366 The xNF **MUST** support secure connections and transports such as + Transport Layer Security (TLS) protocol + [`RFC5246 <https://tools.ietf.org/html/rfc5246>`_] and should adhere to + the best current practices outlined in + `RFC7525 <https://tools.ietf.org/html/rfc7525>`_. +* R-44290 The xNF **MUST** control access to ONAP and to xNFs, and creation + of connections, through secure credentials, log-on and exchange mechanisms. +* R-47597 The xNF **MUST** carry data in motion only over secure connections. +* R-68165 The xNF **MUST** encrypt any content containing Sensitive Personal + Information (SPI) or certain proprietary data, in addition to applying the + regular procedures for securing access and delivery. + +.. [1] + This option is not currently supported in ONAP and it is currently + under consideration. + +.. |image0| image:: Data_Model_For_Event_Records.png + :width: 7in + :height: 8in + +.. |image1| image:: VES_JSON_Driven_Model.png + :width: 5in + :height: 3in + +.. |image2| image:: YANG_Driven_Model.png + :width: 5in + :height: 3in + +.. |image3| image:: Protocol_Buffers_Driven_Model.png + :width: 4.74in + :height: 3.3in + diff --git a/docs/Chapter7/Service-Design.rst b/docs/Chapter7/Service-Design.rst new file mode 100644 index 0000000..472badc --- /dev/null +++ b/docs/Chapter7/Service-Design.rst @@ -0,0 +1,12 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2017 AT&T Intellectual Property. All rights reserved. + + +Service Design +-------------- + +This section, Service Design, has been left intentionally blank. It +is out-of-scope for the VNF Requirements project for the Amsterdam +release and no numbered requirements are expected. Content may be +added in future updates of this document. diff --git a/docs/Chapter7/VNF-On-boarding-and-package-management.rst b/docs/Chapter7/VNF-On-boarding-and-package-management.rst new file mode 100644 index 0000000..7628aaa --- /dev/null +++ b/docs/Chapter7/VNF-On-boarding-and-package-management.rst @@ -0,0 +1,272 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2017 AT&T Intellectual Property. All rights reserved. + + +VNF On-boarding and package management +-------------------------------------- + +Design Definition +^^^^^^^^^^^^^^^^^^ + +The ONAP Design Time Framework provides the ability to design NFV +resources including VNFs, Services, and products. The VNF provider must +provide VNF packages that include a rich set of recipes, management and +functional interfaces, policies, configuration parameters, and +infrastructure requirements that can be utilized by the ONAP Design +module to onboard and catalog these resources. Initially this +information may be provided in documents, but in the near future a +method will be developed to automate as much of the transfer of data as +possible to satisfy its long term requirements. + +The current VNF Package Requirement is based on a subset of the +Requirements contained in the ETSI Document: ETSI GS NFV-MAN 001 v1.1.1 +and GS NFV IFA011 V0.3.0 (2015-10) - Network Functions Virtualization +(NFV), Management and Orchestration, VNF Packaging Specification. + +Resource Description +^^^^^^^^^^^^^^^^^^^^^^ + +* R-77707 The xNF provider **MUST** include a Manifest File that + contains a list of all the components in the xNF package. +* R-66070 The xNF Package **MUST** include xNF Identification Data to + uniquely identify the resource for a given xNF provider. The identification + data must include: an identifier for the xNF, the name of the xNF as was + given by the xNF provider, xNF description, xNF provider, and version. +* R-69565 The xNF Package **MUST** include documentation describing xNF + Management APIs, which must include information and tools for ONAP to + deploy and configure (initially and ongoing) the xNF application(s) + (e.g., NETCONF APIs) which includes a description of configurable + parameters for the xNF and whether the parameters can be configured + after xNF instantiation. +* R-00156 The xNF Package **MUST** include documentation describing xNF + Management APIs, which must include information and tools for ONAP + to monitor the health of the xNF (conditions that require healing + and/or scaling responses). +* R-00068 The xNF Package **MUST** include documentation which includes + a description of parameters that can be monitored for the xNF and + event records (status, fault, flow, session, call, control plane, + etc.) generated by the xNF after instantiation. +* R-12678 The xNF Package **MUST** include documentation which includes a + description of runtime lifecycle events and related actions (e.g., + control responses, tests) which can be performed for the xNF. +* R-84366 The xNF Package **MUST** include documentation describing + xNF Functional APIs that are utilized to build network and + application services. This document describes the externally exposed + functional inputs and outputs for the xNF, including interface + format and protocols supported. +* R-36280 The xNF provider **MUST** provide documentation describing + xNF Functional Capabilities that are utilized to operationalize the + xNF and compose complex services. +* R-98617 The xNF provider **MUST** provide information regarding any + dependency (e.g., affinity, anti-affinity) with other xNFs and resources. + +Resource Configuration +^^^^^^^^^^^^^^^^^^^^^^^ + +* R-89571 The xNF **MUST** support and provide artifacts for configuration + management using at least one of the following technologies; + a) Netconf/YANG, b) Chef, or c) Ansible. + + Note: The requirements for Netconf/YANG, Chef, and Ansible protocols + are provided separately and must be supported only if the corresponding + protocol option is provided by the xNF providor. + +Configuration Management via NETCONF/YANG +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* R-30278 The xNF provider **MUST** provide a Resource/Device YANG model + as a foundation for creating the YANG model for configuration. This will + include xNF attributes/parameters and valid values/attributes configurable + by policy. + +Configuration Management via Chef +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* R-13390 The xNF provider **MUST** provide cookbooks to be loaded + on the appropriate Chef Server. +* R-18525 The xNF provider **MUST** provide a JSON file for each + supported action for the xNF. The JSON file must contain key value + pairs with all relevant values populated with sample data that illustrates + its usage. The fields and their description are defined in Tables A1 + and A2 in the Appendix. + + Note: Chef support in ONAP is not currently available and planned for 4Q 2017. + +Configuration Management via Ansible +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* R-75608 The xNF provider **MUST** provide playbooks to be loaded + on the appropriate Ansible Server. +* R-16777 The xNF provider **MUST** provide a JSON file for each + supported action for the xNF. The JSON file must contain key value + pairs with all relevant values populated with sample data that illustrates + its usage. The fields and their description are defined in Table B1 + in the Appendix. + +* R-46567 The xNF Package **MUST** include configuration scripts + for boot sequence and configuration. +* R-16065 The xNF provider **MUST** provide configurable parameters + (if unable to conform to YANG model) including xNF attributes/parameters + and valid values, dynamic attributes and cross parameter dependencies + (e.g., customer provisioning data). + +Resource Control Loop +^^^^^^^^^^^^^^^^^^^^^^^ + +* R-22888 The xNF provider **MUST** provide documentation for the xNF + Policy Description to manage the xNF runtime lifecycle. The document + must include a description of how the policies (conditions and actions) + are implemented in the xNF. +* R-01556 The xNF Package **MUST** include documentation describing the + fault, performance, capacity events/alarms and other event records + that are made available by the xNF. +* R-16875 The xNF Package **MUST** include documentation which must include + a unique identification string for the specific xNF, a description of + the problem that caused the error, and steps or procedures to perform + Root Cause Analysis and resolve the issue. +* R-35960 The xNF Package **MUST** include documentation which must include + all events, severity level (e.g., informational, warning, error) and + descriptions including causes/fixes if applicable for the event. +* R-42018 The xNF Package **MUST** include documentation which must include + all events (fault, measurement for xNF Scaling, Syslogs, State Change + and Mobile Flow), that need to be collected at each VM, VNFC (defined in `VNF Guidelines <http://onap.readthedocs.io/en/latest/submodules/vnfrqts/guidelines.git/docs/vnf_guidelines/vnf_guidelines.html#a-glossary>`__ ) and for the overall xNF. +* R-27711 The xNF provider **MUST** provide an XML file that contains a + list of xNF error codes, descriptions of the error, and possible + causes/corrective action. +* R-01478 The xNF Package **MUST** include documentation describing all + parameters that are available to monitor the xNF after instantiation + (includes all counters, OIDs, PM data, KPIs, etc.) that must be + collected for reporting purposes. +* R-73560 The xNF Package **MUST** include documentation about monitoring + parameters/counters exposed for virtual resource management and xNF + application management. +* R-90632 The xNF Package **MUST** include documentation about KPIs and + metrics that need to be collected at each VM for capacity planning + and performance management purposes. +* R-86235 The xNF Package **MUST** include documentation about the monitoring + parameters that must include latencies, success rates, retry rates, load + and quality (e.g., DPM) for the key transactions/functions supported by + the xNF and those that must be exercised by the xNF in order to perform + its function. +* R-33904 The xNF Package **MUST** include documentation for each KPI, provide + lower and upper limits. +* R-53598 The xNF Package **MUST** include documentation to, when relevant, + provide a threshold crossing alert point for each KPI and describe the + significance of the threshold crossing. +* R-69877 The xNF Package **MUST** include documentation for each KPI, + identify the suggested actions that need to be performed when a + threshold crossing alert event is recorded. +* R-22680 The xNF Package **MUST** include documentation that describes + any requirements for the monitoring component of tools for Network + Cloud automation and management to provide these records to components + of the xNF. +* R-33694 The xNF Package **MUST** include documentation to when applicable, + provide calculators needed to convert raw data into appropriate reporting + artifacts. +* R-56815 The xNF Package **MUST** include documentation describing + supported xNF scaling capabilities and capacity limits (e.g., number + of users, bandwidth, throughput, concurrent calls). +* R-48596 The xNF Package **MUST** include documentation describing + the characteristics for the xNF reliability and high availability. +* R-74763 The xNF provider **MUST** provide an artifact per xNF that contains + all of the xNF Event Records supported. The artifact should include + reference to the specific release of the xNF Event Stream Common Event + Data Model document it is based on. (e.g., + `VES Event Listener <https://github.com/att/evel-test-collector/tree/master/docs/att_interface_definition>`__) + +Compute, Network, and Storage Requirements +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* R-35851 The xNF Package **MUST** include xNF topology that describes + basic network and application connectivity internal and external to the + xNF including Link type, KPIs, Bandwidth, latency, jitter, QoS (if + applicable) for each interface. +* R-97102 The VNF Package **MUST** include VM requirements via a Heat + template that provides the necessary data for VM specifications + for all VNF components - for hypervisor, CPU, memory, storage. +* R-20204 The VNF Package **MUST** include VM requirements via a Heat + template that provides the necessary data for network connections, + interface connections, internal and external to VNF. +* R-44896 The VNF Package **MUST** include VM requirements via a Heat + template that provides the necessary data for high availability + redundancy model. +* R-55802 The VNF Package **MUST** include VM requirements via a Heat + template that provides the necessary data for scaling/growth VM + specifications. + + Note: Must comply with the *Heat requirements in 5.b*. + +* R-26881 The xNF provider **MUST** provide the binaries and images + needed to instantiate the xNF (xNF and VNFC images). +* R-96634 The xNF provider **MUST** describe scaling capabilities + to manage scaling characteristics of the xNF. + + +Testing +^^^^^^^^^^ + +* R-43958 The xNF Package **MUST** include documentation describing + the tests that were conducted by the xNF providor and the test results. +* R-04298 The xNF provider **MUST** provide their testing scripts to + support testing. +* R-58775 The xNF provider **MUST** provide software components that + can be packaged with/near the xNF, if needed, to simulate any functions + or systems that connect to the xNF system under test. This component is + necessary only if the existing testing environment does not have the + necessary simulators. + +Licensing Requirements +^^^^^^^^^^^^^^^^^^^^^^^ + +* R-85653 The xNF **MUST** provide metrics (e.g., number of sessions, + number of subscribers, number of seats, etc.) to ONAP for tracking + every license. +* R-44125 The xNF provider **MUST** agree to the process that can + be met by Service Provider reporting infrastructure. The Contract + shall define the reporting process and the available reporting tools. +* R-40827 The xNF provider **MUST** enumerate all of the open + source licenses their xNF(s) incorporate. +* R-97293 The xNF provider **MUST NOT** require audits of + Service Provider’s business. +* R-44569 The xNF provider **MUST NOT** require additional + infrastructure such as a xNF provider license server for xNF provider + functions and metrics. +* R-13613 The VNF **MUST** provide clear measurements for licensing + purposes to allow automated scale up/down by the management system. +* R-27511 The VNF provider **MUST** provide the ability to scale + up a VNF provider supplied product during growth and scale down a + VNF provider supplied product during decline without “real-time” + restrictions based upon VNF provider permissions. +* R-85991 The xNF provider **MUST** provide a universal license key + per xNF to be used as needed by services (i.e., not tied to a VM + instance) as the recommended solution. The xNF provider may provide + pools of Unique xNF License Keys, where there is a unique key for + each xNF instance as an alternate solution. Licensing issues should + be resolved without interrupting in-service xNFs. +* R-47849 The xNF provider **MUST** support the metadata about + licenses (and their applicable entitlements) as defined in this + document for xNF software, and any license keys required to authorize + use of the xNF software. This metadata will be used to facilitate + onboarding the xNF into the ONAP environment and automating processes + for putting the licenses into use and managing the full lifecycle of + the licenses. The details of this license model are described in + Tables C1 to C8 in the Appendix. Note: License metadata support in + ONAP is not currently available and planned for 1Q 2018. + +.. |image0| image:: Data_Model_For_Event_Records.png + :width: 7in + :height: 8in + +.. |image1| image:: VES_JSON_Driven_Model.png + :width: 5in + :height: 3in + +.. |image2| image:: YANG_Driven_Model.png + :width: 5in + :height: 3in + +.. |image3| image:: Protocol_Buffers_Driven_Model.png + :width: 4.74in + :height: 3.3in + diff --git a/docs/Chapter7/index.rst b/docs/Chapter7/index.rst new file mode 100644 index 0000000..e5c1462 --- /dev/null +++ b/docs/Chapter7/index.rst @@ -0,0 +1,67 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2017 AT&T Intellectual Property. All rights reserved. + +ONAP Management Requirements +============================ + +.. toctree:: + :maxdepth: 2 + + Service-Design + VNF-On-boarding-and-package-management + Configuration-Management + Monitoring-And-Management + + +The ONAP platform is the part of the larger Network Function +Virtualization/Software Defined Network (NFV/SDN) ecosystem that +is responsible for the efficient control, operation and management +of Virtual Network Function (VNF) capabilities and functions. It +specifies standardized abstractions and interfaces that enable +efficient interoperation of the NVF/SDN ecosystem components. It +enables product/service independent capabilities for design, creation +and runtime lifecycle management (includes all aspects of installation, +change management, assurance, and retirement) of resources in NFV/SDN +environment (see ECOMP white paper ). These capabilities are provided +using two major architectural frameworks: (1) a Design Time Framework +to design, define and program the platform (uniform onboarding), and +(2) a Runtime Execution Framework to execute the logic programmed in +the design environment (uniform delivery and runtime lifecycle +management). The platform delivers an integrated information model +based on the VNF package to express the characteristics and behavior +of these resources in the Design Time Framework. The information model +is utilized by Runtime Execution Framework to manage the runtime +lifecycle of the VNFs. The management processes are orchestrated +across various modules of ONAP to instantiate, configure, scale, +monitor, and reconfigure the VNFs using a set of standard APIs +provided by the VNF developers. + +Although the guidelines and requirements specified in this document +were originally driven by the need to standardize and automate the +management of the virtualized environments (with VNFs) operated by +Service Providers, we believe that most of the requirements are equally +applicable to the operation of the physical network functions (PNFs), +those network functions provided by traditional physical network +elements (e.g. whitebox switches) or customized peripherals (e.g. a +video rendering engine for augmented reality). The primary area of +difference will be in how the network function is orchestrated into +place – VNFs can be much more dynamically created & placed by ONAP +to support varying geographic, availability and scalability needs, +whereas the PNFs have to be deployed a priori in specific locations +based on planning and engineering – their availability and scalability +will be determined by the capabilities offered by the PNFs. + +**PNF** is a vendor-provided Network Function(s) implemented using a +bundled set of hardware and software while VNFs utilize cloud resources +to provide Network Functions through virtualized software modules. PNF +can be supplied by a vendor as a Black BOX (provides no knowledge of its +internal characteristics, logic, and software design/architecture) or as +a White Box (provides detailed knowledge and access of its internal +components and logic) or as a Grey Box (provides limited knowledge and +access to its internal components). + +* Requirements that equally apply to both VNFs and PNFs are defined as + "The xNF MUST/SHOULD/..." +* Requirements that only apply to VNFs are defined as "The VNF MUST/SHOULD/..." +* Requirements that only apply to PNFs are defined as "The PNF MUST/SHOULD/..." diff --git a/docs/Chapter8/Ansible-JSON-Key-Value-Description.rst b/docs/Chapter8/Ansible-JSON-Key-Value-Description.rst new file mode 100644 index 0000000..4eb8131 --- /dev/null +++ b/docs/Chapter8/Ansible-JSON-Key-Value-Description.rst @@ -0,0 +1,111 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2017 AT&T Intellectual Property. All rights reserved. + +Ansible JSON Key Value Description +------------------------------------------------------------- + +The following provides the key value pairs that must be contained in the +JSON file supporting Ansible action. + +Table B1. Ansible JSON File key value description +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ++---------------+----------------------+---------+----------------------------+ +| **Field Name**| **Description** | **Type**| **Comment** | ++===============+======================+=========+============================+ +| PlaybookName | VNF providor must |Mandatory|Currently following | +| | list name of the | |Ansible standard | +| | playbook relative | |naming, where main | +| | path used to | |playbook is always | +| | execute the VNF | |named site.yml, and | +| | action. | |directory name where | +| | | |this main playbook resides, | +| | | |is named after the | +| | | |command/action playbook | +| | | |performs, in lower case, | +| | | |example, configure. | ++---------------+----------------------+---------+----------------------------+ +| Action | Name of VNF action. | Optional| | ++---------------+----------------------+---------+----------------------------+ +| EnvParameters | A JSON dictionary | Optional|Depends on the VNF action. | +| | which should list key| | | +| | value pairs to be | |Attribute names (variable | +| | passed to the Ansible| |names) passed to Ansible | +| | playbook. These | |shall follow Ansible valid | +| | values would | |variable names: “Variable | +| | correspond to | |names should be letters, | +| | instance specific | |numbers, and underscores. | +| | parameters that a | |Variables should always | +| | playbook may need to | |start with a letter.” | +| | execute an action. | | | ++---------------+----------------------+---------+----------------------------+ +| NodeList |Ansible inventory | Optional|If not provided, pre-loaded | +| |hosts file with | |(VNF) inventory hosts | +| |VNF groups and | |file must exist in the | +| |respective IP | |Ansible Server otherwise | +| |addresses or DNS | |request fails. | +| |supported FQDNs | | | +| |that the playbook must| | | +| |be executed against. | | | ++---------------+----------------------+---------+----------------------------+ +| FileParameters| A JSON dictionary | Optional| Depends on the VNF action | +| | where keys are | | and playbook design. | +| | filenames and values | | | +| | are contents of | | | +| | files. The Ansible | | | +| | Server will utilize | | | +| | this feature to | | | +| | generate files with | | | +| | keys as filenames and| | | +| | values as content. | | | +| | This attribute can be| | | +| | used to generate | | | +| | files that a playbook| | | +| | may require as part | | | +| | of execution. | | | ++---------------+----------------------+---------+----------------------------+ +| Timeout | Time (in seconds) | Optional| | +| | that a playbook is | | | +| | expected to take to | | | +| | finish execution for | | | +| | the VNF. If playbook | | | +| | execution time | | | +| | exceeds this value, | | | +| | Ansible Server will | | | +| | terminate the | | | +| | playbook process. | | | ++---------------+----------------------+---------+----------------------------+ + +Ansible JSON file example: + +{ + + “Action”:”Configure”, + + "PlaybookName": "<VNFCode>/<Version>/ansible/configure/site.yml", + + "NodeList": ["test1.vnf\_b.onap.com", “test2.vnf\_b.onap.com”], + + "Timeout": 60, + + "EnvParameters": {"Retry": 3, "Wait": 5, “ConfigFile”:”config.txt”}, + + “FileParameters”:{“config.txt”:”db\_ip=10.1.1.1, sip\_timer=10000”} + +} + +In the above example, the Ansible Server will: + +a. Process the “FileParameters” dictionary and generate a file named + ‘config.txt’ with contents set to the value of the ‘config.txt’ key. + +b. Execute the playbook named ‘<VNFCode>/<Version>/ansible/configure/site.yml’ + on nodes with FQDNs test1.vnf\_b.onap.com and test2.vnf\_b.onap.com + respectively while providing the following key value pairs to the playbook: + Retry=3, Wait=5, ConfigFile=config.txt + + +c. If execution time of the playbook exceeds 60 secs (across all hosts), + it will be terminated. + diff --git a/docs/Chapter8/Ansible-Playbook-Examples.rst b/docs/Chapter8/Ansible-Playbook-Examples.rst new file mode 100644 index 0000000..4be9944 --- /dev/null +++ b/docs/Chapter8/Ansible-Playbook-Examples.rst @@ -0,0 +1,706 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2017 AT&T Intellectual Property. All rights reserved. + +Ansible Playbook Examples +----------------------------------------------- + +The following sections contain examples of Ansible playbooks +which follow the guidelines. + +Guidelines for Playbooks to properly integrate with APPC +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +NOTE: To support concurrent requests to multiple VNF instances of same +or different type, VNF hosts and other files with VNF specific default +values are kept or created in separate directories. + +Example of an Ansible command (after pwd) to run playbook again +vfdb9904v VNF instance: + +.. code-block:: none + + $ pwd + /storage/vfdb/V16.1/ansible/configure + $ ansible-playbook -i ../inventory/vfdb9904vhosts site.yml --extra-vars "vnf_instance=vfdb9904v" + + NOTE: To preserve Ansible inventory/group_vars capability, that makes + group_vars contents global variables available to all playbooks, when they + reside in the inventory directory, guidelines are being updated to name the + VNF inventory hosts file as (a flat file) <VNFName>hosts, stored in the + inventory directory, not a subdirectory under inventory. In the above + example: vfdb9904vhosts (removed / VNF name and hosts vfdb9904/vhosts) + +Example of corresponding APPC API Call from ONAP – Ansible Server +Specifications: + +An example of a curl request simulating a Rest API POST requesting execution +of configure Playbook (using playbook relative path): + +.. code-block:: none + + curl -u APIUser:APIPassword -H "Content-type:application/json" -X POST + -d '{"Id": "8412", "PlaybookName": "vfdb/V5.x.x/ansible/configure/site.yml", + "Timeout":"600", "EnvParameters": { "vnf_instance": "vfdb9904v" }}' + http://ansible.server.com:5000/Dispatch + +Rest API GET request to obtain response/results for prior request +(same Id as POST request above): + +.. code-block:: none + + curl -u APIUser:APIPassword -H 'Content-type: application/json' -X GET + 'http://ansible.server.com:5000/Dispatch/?Id=8412&Type=GetResult' + +Comments: + +- An ID number is assigned to each request. This ID number is used to + track request down to completion and provide status to APPC when + requested. + +- Playbook Name relative path provided in the request as PlaybookName + +- Ansible Server Rest API is aware of playbook’s root directory which may + vary from instance to instance or Ansible Server cluster to cluster. + +Ansible Playbooks will use the VNF instance name (passed using +--extra-vars "vnf\_instance=vfdb9904v") to identify other default values +to run the playbook(s) against the target VNF instance. Same example as +above: + +.. code-block:: none + + $ ansible-playbook -i ../inventory/vfdb9904vhosts site.yml --extra-vars "vnf_instance=vfdb9904v" + +Each Ansible Server or cluster is assigned its own identification to be used +to authenticate to VNF VMs using Ansible Server or cluster specific set of +SSH keys that may be rotated regularly. Here hosts file, no longer referencing +file with SSH key credentials, to run ansible-playbook listed in this example +above (IP addresses were scrubbed): + +.. code-block:: none + + $ more ../inventory/vfdb9904v/hosts + [host] + localhost ansible_connection=local + + [oam] + 1xx.2yy.zzz.109 + 1xx.2yy.zzz.110 + + [rdb] + 1xx.2yy.zzz.105 + 1xx.2yy.zzz.106 + +NOTE: APPC requests to run Playbooks/Cookbooks are specific to a VNF, +but could be more limited to one VM or one type of VM by the request +parameters. Actions that may impact a site (LCP), a service, or an +entire platform must be orchestrated by MSO in order to execute requests +via APPC which then invoke VNF level playbooks. Playbooks that impact +more than a single VNF are not the current focus of these guidelines. + +Since last release of these guidelines, based on recent learnings, +moving VNF Type global variables under inventory/group_vars files, this +way variables and respective values are available to all playbooks without +being explicitly referenced though an include statement. Also creating +templates that are VNF Type specific, but moving away from static files +that are VNF instance specific, working to obtain VNF instance specific +from other sources, inventory database, etc. + +And here the scrubbed default arguments for this VNF instance(originated +from previously re-factored playbooks now being phased out): + +.. code-block:: none + + vnf_instance=vfdb9904v + + $ more ../vars/vfdb9904v/default_args.yml + vm_config_oam_vnfc_name: vfdb9904vm001oam001 + vm_config_oam_hostname: vfdb9904vm001 + vm_config_oam_provider_ip_address: 1xx.2yy.zzz.109 + … + +IMPORTANT: The APPC and default file attribute name for +vm\_config\_oam\_vnfc\_name, as an example, is derived from vm\_config +array structure (list) in the CSAR package ENV file, with dots replaced +by underscore: + +.. code-block:: none + + vm_config: + + oam: {vnfc_name: {{ vm_config_oam_vnfc_name }}, hostname: {{ + vm_config_oam_hostname }}, provider_ip_address: {{ + vm_config_oam_provider_ip_address } + }, + … + +Parameters like VNF names, VNFC names, OA&M IP addresses, after +February, 2018 ONAP release, will be extracted from A&AI by APPC and +then passed down to Ansible Server, as part of APPC request through REST +API. In the meantime, VNF instance specific required values, will +be stored on VNF instance directory, default arguments file and will be +used as defaults. For parameterized playbooks attribute-value pairs +passed down by APPC to Ansible Server always take precedence over +template or VNF instance specific defaults stored in defaults file(s). + +.. code-block:: none + + $ pwd + /storage/vfdb/latest/ansible + Again, originated from previously re-factored playbooks now being phased out: + + $ more vars/vfdb9904v/default_args.yml + + vm_config_oam1_vnfc_name: vfdb9904vm001oam001 + vm_config_oam1_hostname: vfdb9904vm001 + vm_config_oam1_provider_ip_address: 1xx.2yy.zzz.109 + + vm_config_oam2_vnfc_name: vfdb9904vm002oam001 + vm_config_oam2_hostname: vfdb9904vm002 + vm_config_oam2_provider_ip_address: 1xx.2yy.zzz.110 + + vm_config_rdb1_vnfc_name: vfdb9904vm003rdb001 + vm_config_rdb1_hostname: vfdb9904vm003 + vm_config_rdb1_provider_ip_address: 1xx.2yy.zzz.105 + + vm_config_rdb2_vnfc_name: vfdb9904vm004rdb001 + vm_config_rdb2_hostname: vfdb9904vm004 + vm_config_rdb2_provider_ip_address: 1xx.2yy.zzz.106 + + vm_config_rdb3_vnfc_name: vfdb9904vm005rdb001 + vm_config_rdb3_hostname: vfdb9904vm005 + vm_config_rdb3_provider_ip_address: 1xx.2yy.zzz.xxx + + vm_config_rdb4_vnfc_name: vfdb9904vm006rdb001 + vm_config_rdb4_hostname: vfdb9904vm006 + vm_config_rdb4_provider_ip_address: 1xx.2yy.zzz.yyy + +One of the first tasks on the Ansible Playbooks is to combine the VNF +type generic template, derived from ENV files in CSAR or other files, +with these default values stored on the Ansible Server, together with +the overriding parameters passed down from APPC, to create the VNF +instance specific set of attribute-value pairs to be used for the run, in +INI format. Here is an excerpt from such a file that should look +somewhat similar to ENV files: + +.. code-block:: none + + $ more tmp/vfdb9904v/all.yml + + deployment_prefix: vfdb9904v + … + timezone: Etc/UTC + … + template_version: '2014-10-16' + stack_name: vfdb9904v + c3dbtype: OAM + stackName: vfdb9904v + juno_base: true + … + +# logins list contain 'login name', 'login group', 'login password' + +.. code-block:: none + + logins: + - { name: 'm99999', group: 'm99999', password: 'abcdefgha' } + - { name: 'gsuser', group: 'gsuser', password: ' abcdefgha' } + - { name: 'peruser', group: 'peruser', password: ' abcdefgha' } + - { name: 'dbuser', group: 'dbuser', password: ' abcdefgha' } + +NOTE: Arguments passed by APPC to Ansible Server to run a playbook take +precedence over any defaults stored in Ansible Server. + +Ansible Playbooks – Notes On Artifacts Required to Run Playbooks +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Inventory hosts file: should be VNF instance specific. + +Default variables: should be VNF instance specific. + +NOTE: Some playbooks may rely on inventory directory contents to target +the collection of VNFs in the Services Platform supported through +Ansible. + +Playbooks and paths to referenced files: Playbooks shall not use +absolute paths in include or import entries (variables or playbooks) or +other types of references. + +For this to work properly, when running playbooks, the directory where +the main playbook resides shall be the current directory. + +Playbook imports, when used, shall use paths relative to the main +playbook directory. + +Root directory named ansible - Any files provided with playbooks, +included, imported, or referenced by playbooks, shall reside under the ansible +playbooks (root) directory, containing all playbook subdirectories, or +below that ansible root directory, in other subdirectories to support +on-boarding and portability of VNF collection of playbooks and related +artifacts. + +Designing for a shared environment, concurrently running playbooks, +targeting multiple VNF instances – inventory hosts file: + +To avoid inventory hosts file overwrites or collisions between multiple +concurrently running VNF instance requests, chosen approach is for each +VNF instance hosts file, to be stored under the Ansible Server Playbooks +root directory, under the inventory subdirectory, and under a directory +for each VNF instance, named after the VNF instance, as follows: + +ansible/inventory/<VNF\_instance\_name>/hosts + +Example of inventory hosts file path, relative to ansible playbooks root +directory (playbooks\_dir): ansible/inventory/vnfx0001v/hosts + +**Designing for a shared environment, concurrently running multiple playbooks, +targeting multiple VNF instances – default argument variables for +specific VNF instances:** + +Files containing attribute name value pairs (variable name and default +values), referenced/included by playbooks – Files containing VNF +instance specific default values – in a later APPC release, some or all +the default attribute value pairs contained in the defaults file, may be +passed down by APPC, to the Ansible Server, overriding these defaults: + +VNF instance specific files +referenced/included by playbooks, containing default values, example, +default\_args.yml, shall be stored under a directory with VNF instance +name on the path. + +Example: + +ansible/vars/<VNF\_instance\_name>/default\_args.yml + +Example of include statement: + +- include_vars: ../vars/{{ vnf_instance }}/default_args.yml + +Again, this was originated from previously re-factored playbooks, now being +phased out, to move away from having to create VNF instance specific files +with VNF instance default variables. Moving to extract these values from +inventory databases and provide them to Ansible Server as part of the APPC +request, but may be used in a transition from having everything stored in the +Ansible Server to APPC extracting and providing VNF instance specific +attribute-value pairs to the Ansible Server as part of the request. + +Files containing attribute name value pairs (variable name and default +values), referenced/included by playbooks – created dynamically by +playbooks: + +To avoid +overwrites or collisions of multiple concurrently running VNF instance +requests, files created dynamically by playbooks, based on VNF generic +templates, combined with default values and arguments passed down by +APPC (as part of the request), shall be stored under a directory with +VNF instance name on the path. + +Example: + +tmp/<VNF\_instance\_name>/all.yml + +Files containing site specific (Openstack location non-instance +specific) attribute name value pairs, like NTP server and DNS server’s +IP addresses and other parameters, referenced/included by playbooks, not +VNF specific – Could/should be stored under inventory/group_vars directory, +in a subdirectory named after the string used to identify the site (nyc1, +lax2,…). + +Examples: + +ansible/inventory/group_vars/<Site> + +ansible/inventory/group_vars/nyc1 + +ansible/inventory/group_vars/lax2 + + +\ **Ansible Server Design - Directory Structure** + +To help understanding the contents of this section, here are few basic +definitions: + +**VNF type a.k.a VNF Function Code** - Based on current Services +Platform naming convention, each Virtual Network Function is assigned a +4 character string (example vfdb), these are 4 characters in +the VNF instance name, followed by (4) numbers, ending in a "v", but the +naming convention is evolving. VNF instance name in +some cases corresponds to the stack name for the VNF when VNF instance +is built based on a single module, single stack. Example of VNF instance +name: vfdb9904v. All VNF performing this function, running the same +software, coming from the same VNF provider will have the same 4 +characters in the VNF instance name, in this example, vfdb. + +NOTE: New naming convention includes a prefix indicating geographical +location where VNF is instantiated. + +VNF type, determined through these 4 characters, is also known as VNF +Function Code and is assigned by inventory team. All Services Platform +VNF Function Codes can be found in inventory database and/or A&AI as +well as Services Platform Network Design Documents. + +Version – As in VNF software version is the release of the software +running on the VNF for which the playbooks were developed. VNF +configuration steps may change from release to release and this +<Version> in the path will allow the Ansible Server to host playbooks +associated with each software release. And run the playbooks that match +the software release running on each VNF instance. APPC initially will +not support playbook versioning only latest playbook is supported or a hard +coded version that later should become a variable to allow multiple +actively in use playbook versions according to VNF release. + +Playbook Function - Is a name associated with a life cycle management +task(s) performed by the playbook(s) stored in this directory. It should +clearly identify the type of action(s) performed by the main playbook +and possibly other playbooks stored in this same directory. Ideally, +playbook function would match APPC corresponding command or function that +is performed by the main playbook in this directory. Following Ansible naming +standards main playbook is usually named site.yml. There can be other +playbooks on the same directory that use a subset of the roles used by the +main playbook site.yml. Examples of Playbook Function directory names: + +- configure – Contains post-instantiation (bulk) configuration + playbooks, roles,… + +- healthcheck – Contains VNF health check playbook(s), roles,… + +- stop – Contains VNF application stop (stopApplication) playbook(s), + roles,… + +- start – Contains VNF application start (startApplication) playbook(s), + roles,… + +Directory structure to allow hosting multiple version sets of playbooks, +for the same VNF type, to be hosted in the runtime environment on the +Ansible Servers. Generic directory structure: + +Ansible Playbooks – Function directory and main playbook: + +.. code-block:: none + + <VNF type>/<Version>/ansible/<Playbook Function>/site.yml + +Example – Post-instantiation (bulk) configuration –APPC Function - +Configure: + +.. code-block:: none + + <VNF type>/<Version>/ansible/configure/site.yml + +Example – Post-instantiation (bulk) configuration –APPC Function +– Configure – VNF software version 16.1: + +.. code-block:: none + + vfdb/V16.1/ansible/configure/site.yml + +Example – Health-check –APPC Function - HealthCheck: + +.. code-block:: none + + <VNF type>/<Version>/ansible/healthcheck/site.yml + +OR (Function directory name does not need to match APPC function name) + +.. code-block:: none + + <VNF type>/<Version>/ansible/check/site.yml + +Ansible Directories for other artifacts – VNF inventory hosts file - +Required: + +.. code-block:: none + + <VNF type>/<Version>/ansible/inventory/<VNF instance name>hosts + +Ansible Directories for other artifacts – VNF instance specific default +arguments – Optional: + +.. code-block:: none + + <VNF type>/<Version>/ansible/group_vars/<VNF instance name> + +NOTE: This requirement is expected to be deprecated all or in part in the +future, for automated actions, once APPC can pass down all VNF specific +arguments for each action. Requirement remains while manual actions are +to be supported. Other automated inventory management mechanisms may be +considered in the future, Ansible supports many automated inventory +management mechanisms/tools/solutions. + +Ansible Directories for other artifacts – VNF (special) groups – +Optional: + +.. code-block:: none + + <VNF type>/<Version>/ansible/inventory/group_vars/<VNF instance name> + +NOTE: Default groups will be created based on VNFC type, 3 characters, +on VNFC name. Example: “oam”, “rdb”, “dbs”, “man”, “iox”, “app”,… + +Ansible Directories for other artifacts – VNF (special) other files – +Optional – Example – License file: + +.. code-block:: none + + <VNF type>/<Version>/ansible/<Other directory(s)> + +CAUTION: On referenced files used/required by playbooks. + +- To avoid missing files, during on-boarding or uploading of Ansible + Playbooks and related artifacts, all permanent files (not generated + by playbooks as part of execution), required to run any playbook, + shall reside under the ansible root directory or below on other + subdirectories. + +- Any references to files, on includes or other playbook entries, shall + use relative paths. + +- This is the ansible (root) directory referenced on this + note (Ansible Server mount point not included): + +.. code-block:: none + + <VNF type>/<Version>/ansible/ + +There will be a soft link to the latest set of Ansible Playbooks for +each VNF type. + +VNF type directories use A&AI inventory VNF function code. Ansible +Playbooks will be stored on a Cinder Volume mounted on the Ansible +Servers as /storage. Example: + +/storage/vfdb/latest/ansible – This soft link point to the latest set of +playbooks (or the only set) + +/storage/vfdb/V16.1/ansible – Root directory for database VNF Ansible +Playbooks for release 16.1 + +CAUTION: To support this directory structure as the repository to store +Ansible Playbooks run by APPC, APPC API in the Ansible Server side needs +to be configured to run playbooks from directory, not MySQL database. + +Ansible Server HTTP will be configured to support APPC REST API requests +to run playbooks as needed, against specific VNF instances, or specific +VM(s) as specified in the request. + +ONAP APPC REST API to Ansible Server is documented separately and can be +found under ONAP (onap.org). + +**Ansible Server – On-boarding Ansible Playbooks** + +Once playbooks are developed following the guidelines listed in prior +section(s), playbooks need to be on-boarded onto Ansible Server(s). In +the future, they’ll be on-boarded and distributed through ONAP, at least +that is the proposed plan, but for now they need to be uploaded +manually. There is work in progress to use a Git as the playbook +repository to store and track playbooks by version, version control. + +These are the basic steps to on-board playbooks manually onto the +Ansible Server. + +1. Upload CSAR, zip, or tar file containing VNF playbooks and related + artifacts. + +2. Create full directory (using –p option below) to store Ansible + Playbooks and other artifacts under /storage (or other configured) + file system. + + a. Includes VNF type using VNF function code 4 characters under + /storage. + + b. Includes VNF “Version” directory as part of the path to store + playbooks for this VNF version. + + c. Include generic ansible root directory. Creating full directory + path as an example: + +.. code-block:: none + + $ mkdir –p /storage/vfdb/V16.1/ansible**/** + +3. Make this directory (VNF ansible root directory) current directory + for next few steps: + +.. code-block:: none + + cd /storage/vfdb/V16.1/ansible/ + +4. Extract Ansible Playbooks and other Ansible artifacts associated with + the playbooks onto the ansible directory. Command depends on the type + of file uploaded, examples would be: + +.. code-block:: none + + tar xvf .. + unzip … + bunzip .. + +5. Create VNF inventory hosts file with all VMs and + OA&M IP addresses for all VNF instances with known OA&M IP addresses + for respective VMs, example: + +.. code-block:: none + + $ mkdir inventory + + $ touch inventory/vfdb9904vhosts + + $ cat inventory/vfdb9904vhosts + + [host] + localhost ansible\_connection=local + + [oam] + 1xx.2yy.zzz.109 + 1xx.2yy.zzz.110 + + [rdb] + 1xx.2yy.zzz.105 + 1xx.2yy.zzz.106 + +6. (Optional, being deprecated) Create directory to hold default +arguments for each VNF instance, +example: + +.. code-block:: none + + $ mkdir –p vars/vfdb9904v + $ touch vars/vfdb9904v/default\_args.yml + $ cat vars/vfdb9904v/default\_args.yml + vm\_config\_oam1\_vnfc\_name: vfdb9904vm001oam001 + vm\_config\_oam1\_hostname: vfdb9904vm001 + vm\_config\_oam1\_provider\_ip\_address: 1xx.2yy.zzz.109 + + vm\_config\_oam2\_vnfc\_name: vfdb9904vm002oam001 + vm\_config\_oam2\_hostname: vfdb9904vm002 + vm\_config\_oam2\_provider\_ip\_address: 1xx.2yy.zzz.110 + + vm\_config\_rdb1\_vnfc\_name: vfdb9904vm003rdb001 + vm\_config\_rdb1\_hostname: vfdb9904vm003 + vm\_config\_rdb1\_provider\_ip\_address: 1xx.2yy.zzz.105 + + vm\_config\_rdb2\_vnfc\_name: vfdb9904vm004rdb001 + vm\_config\_rdb2\_hostname: vfdb9904vm004 + vm\_config\_rdb2\_provider\_ip\_address: 1xx.2yy.zzz.106 + + vm\_config\_rdb3\_vnfc\_name: vfdb9904vm005rdb001 + vm\_config\_rdb3\_hostname: vfdb9904vm005 + vm\_config\_rdb3\_provider\_ip\_address: 1xx.2yy.zzz.xxx + + vm\_config\_rdb4\_vnfc\_name: vfdb9904vm006rdb001 + vm\_config\_rdb4\_hostname: vfdb9904vm006 + vm\_config\_rdb4\_provider\_ip\_address: 1xx.2yy.zzz.yyy + +NOTE: Please note names in this file shall use underscore “\_” not dots +“.” or dashes “-“. + +7. Perform some basic playbook validation running with “--check” option, + running dummy playbooks or other. + +NOTE: Each Ansible Server or cluster of Ansible Server will have its own +credentials to authenticate to VNF VMs. Ansible Server SSH public key(s) +have to be loaded onto VNF VMs during instantiation or other way before +Ansible Server can access VNF VMs and run playbooks. HOT templates used +by heat to instantiate VNFs to be configured by these Ansible Servers running +playbooks shall include the same SSH public key and load them onto VNF VM(s) +as part of instantiation. + +Other non-vendor specific playbook tasks need to be incorporated in overall +post-instantiation configuration playbook. Alternative is for company +developed playbooks to be uploaded and executed, after VNF vendor provided +playbooks are run. + +**A couple of playbooks used for proof-of-concept testing as examples:** + +UpgradePreCheck: + +.. code-block:: none + + $ pwd + /storage/comx/V5.3.1.3/ansible/upgradeprecheck + + $ more site.yml + --- + + - import_playbook: ../common/create_vars.yml + - import_playbook: ../common/create_hosts.yml + + - name: upgrade software pre check + hosts: oam,dbs,cpm + gather_facts: no + become: true + become_method: sudo + become_user: root + max_fail_percentage: 0 + any_errors_fatal: True + roles: + - precheck + tags: precheck + + $ more roles/precheck/tasks/main.yml + --- + + - include_vars: /tmp/{{ vnf_instance }}/all.yml + + - name: get software version installed on vnf + shell: grep "^SW_VERSION =" /vendor/software/config/param_common.cfg | grep -c "{{ existing_software_version }}" + register: version_line + ignore_errors: yes + + - name: send msg when matches expected version + debug: msg="*** OK *** VNF software release matches (old) release to be upgraded." + verbosity=1 + when: version_line.stdout.find('1') != -1 + + # send warning message and failure when release is not a match + - fail: + msg="*** WARNING *** VNF software release does not match expected (pre-upgrade) release." + when: (version_line | failed) or version_line.stdout.find('1') == -1 + + +UpgradePostCheck: + +.. code-block:: none + + $ pwd + /storage/comx/V5.3.1.3/ansible/upgradepostcheck + + $ more site.yml + --- + + - import_playbook: ../common/create_vars.yml + - import_playbook: ../common/create_hosts.yml + + - name: upgrade software post check + hosts: oam,dbs,cpm + gather_facts: no + become: true + become_method: sudo + become_user: root + max_fail_percentage: 0 + any_errors_fatal: True + roles: + - postcheck + tags: postcheck + + $ more roles/postcheck/tasks/main.yml + --- + + - include_vars: /tmp/{{ vnf_instance }}/all.yml + + - name: get post upgrade software version installed on vnf + shell: grep "^SW_VERSION =" /vendor/software/config/param_common.cfg | grep -c "{{ new_software_version }}" + register: version_line + ignore_errors: yes + + - name: send msg when matches expected version + debug: msg="*** OK *** VNF software release matches new release." + verbosity=1 + when: version_line.stdout.find('1') != -1 + + # send warning message and failure when release is not a match + - fail: + msg="*** WARNING *** VNF software release does not match expected new (post-upgrade) release." + when: (version_line | failed) or version_line.stdout.find('1') == -1 + diff --git a/docs/Chapter8/Chef-JSON-Key-Value-Description.rst b/docs/Chapter8/Chef-JSON-Key-Value-Description.rst new file mode 100644 index 0000000..7144159 --- /dev/null +++ b/docs/Chapter8/Chef-JSON-Key-Value-Description.rst @@ -0,0 +1,178 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2017 AT&T Intellectual Property. All rights reserved. + +Chef JSON Key Value Description +------------------------------------- + +The following provides the key value pairs that must be contained in the +JSON file supporting Chef action. + +Table A1. Chef JSON File key value description +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ++----------------+--------------------------+---------+----------------------+ +| **Field Name** | **Description** | **Type**| **Comment** | ++================+==========================+=========+======================+ +| Environment | A JSON dictionary | Optional|Depends on VNF action.| +| | representing a Chef | | | +| | Environment object. If | | | +| | the VNF action requires | | | +| | loading or modifying Chef| | | +| | environment attributes | | | +| | associated with the VNF, | | | +| | all the relevant | | | +| | information must be | | | +| | provided in this JSON | | | +| | dictionary in a structure| | | +| | that conforms to a Chef | | | +| | Environment Object. | | | ++----------------+--------------------------+---------+----------------------+ +| Node | A JSON dictionary |Mandatory| | +| | representing a Chef Node | | | +| | Object. | | | +| | | | | +| | The Node JSON dictionary | | | +| | must include the run list| | | +| | to be triggered for the | | | +| | desired VNF action by the| | | +| | push job. It should also | | | +| | include any attributes | | | +| | that need to be | | | +| | configured on the Node | | | +| | Object as part of the VNF| | | +| | action. | | | ++----------------+--------------------------+---------+----------------------+ +| NodeList | Array of FQDNs that |Mandatory| | +| | correspond to the | | | +| | endpoints (VMs) of a VNF | | | +| | registered with the Chef | | | +| | Server that need to | | | +| | trigger a chef-client run| | | +| | as part of the desired | | | +| | VNF action. | | | ++----------------+--------------------------+---------+----------------------+ +| PushJobFlag | This field indicates |Mandatory| If set to “True”, | +| | whether the VNF action | | ONAP will request a | +| | requires a push Job. Push| | push job. Ignored | +| | job object will be | | otherwise. | +| | created by ONAP if | | | +| | required. | | | ++----------------+--------------------------+---------+----------------------+ +| CallbackCapable| This field indicates if | Optional| If Chef cookbook is | +| | the chef-client run | | callback capable, VNF| +| | invoked by push job | | owner is required to | +| | corresponding to the VNF | | set it to “True”. | +| | action is capable of | | Ignored otherwise. | +| | posting results on a | | | +| | callback URL. | | | ++----------------+--------------------------+---------+----------------------+ +| GetOutputFlag | Flag which indicates |Mandatory| ONAP will retrieve | +| | whether ONAP should | | output from | +| | retrieve output generated| | NodeObject attributes| +| | in a chef-client run from| | [‘PushJobOutput’] for| +| | Node object attribute | | all nodes in NodeList| +| | node[‘PushJobOutput’] for| | if set to “True”. | +| | this VNF action (e.g., in| | Ignored otherwise. | +| | Audit). | | | ++----------------+--------------------------+---------+----------------------+ + +Chef Template example: + +.. code-block:: chef + + “Environment”:{ + "name": "HAR", + "description": "VNF Chef environment for HAR", + "json\_class": "Chef::Environment", + "chef\_type": "environment", + "default\_attributes": { }, + "override\_attributes": { + “Retry\_Time”:”50”, + “MemCache”: “1024”, + “Database\_IP”:”10.10.1.5” + }, + } + } + “Node”: { + “name” : “signal.network.com “ + "chef\_type": "node", + "json\_class": "Chef::Node", + "attributes": { + “IPAddress1”: “192.168.1.2”, + “IPAddress2”:”135.16.162.5”, + “MyRole”:”BE” + }, + "override": {}, + "default": {}, + “normal”:{}, + “automatic”:{}, + “chef\_environment” : “\_default” + "run\_list": [ "configure\_signal" ] + }, + “NodeList”:[“node1.vnf\_a.onap.com”, “node2.vnf\_a.onap.com”], + “PushJobFlag”: “True” + “CallbackCapable”:True + “GetOutputFlag” : “False” + } + +The example JSON file provided by the VNF provider for each VNF action will be +turned into a template by ONAP, that can be updated with instance +specific values at run-time. + +Some points worth noting regarding the JSON fields: + +a. The JSON file must be created for each action for each VNF. + +b. If a VNF action involves multiple endpoints (VMs) of a VNF, ONAP will + replicate the “Node” JSON dictionary in the template and post it to + each FQDN (i.e., endpoint) in the NodeList after setting the “name” + field in the Node object to be the respective FQDN [1]_. Hence, it + is required that all end points (VMs) of a VNF involved in a VNF + action support the same set of Node Object attributes. + +The following table describes the JSON dictionary to post in Callback. + +Table A2. JSON Dictionary to Post in Callback +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ++--------------+----------------------------+---------+-----------------------+ +| **Key** | **Description** | **Type**| **Comment** | ++==============+============================+=========+=======================+ +| RequestId | A unique string associated |Mandatory| | +| | with the original request | | | +| | by ONAP. This key-value | | | +| | pair will be provided by | | | +| | ONAP in the environment of | | | +| | the push job request and | | | +| | must be returned as part of| | | +| | the POST message. | | | ++--------------+----------------------------+---------+-----------------------+ +| StatusCode | An integer that must be set|Mandatory| | +| | to 200 if chef-client run | | | +| | on the node finished | | | +| | successfully 500 otherwise.| | | ++--------------+----------------------------+---------+-----------------------+ +| StatusMessage| A string which must be set |Mandatory| | +| | to ‘SUCCESS’ if StatusCode | | | +| | was 200 | | | +| | | | | +| | Appropriate error message | | | +| | otherwise. | | | ++--------------+----------------------------+---------+-----------------------+ +| Name | A string which corresponds |Mandatory| | +| | to the name of the node | | | +| | where push job is run. It | | | +| | is required that the value | | | +| | be retrieved from the node | | | +| | object attributes (where it| | | +| | is always defined). | | | ++--------------+----------------------------+---------+-----------------------+ +| PushJobOutput| Any output from the |Optional | Depends on VNF action.| +| | chef-client run that needs | | If empty, it must not | +| | to be returned to ONAP. | | be included. | ++--------------+----------------------------+---------+-----------------------+ + +.. [1] + The “name” field is a mandatory field in a valid Chef Node Object + JSON dictionary. diff --git a/docs/Chapter8.rst b/docs/Chapter8/Requirement-List.rst index cbb0107..41c9ea2 100644 --- a/docs/Chapter8.rst +++ b/docs/Chapter8/Requirement-List.rst @@ -2,884 +2,6 @@ .. http://creativecommons.org/licenses/by/4.0 .. Copyright 2017 AT&T Intellectual Property. All rights reserved. - -Appendix -======== - -Chef JSON Key Value Description -------------------------------------- - -The following provides the key value pairs that must be contained in the -JSON file supporting Chef action. - -Table A1. Chef JSON File key value description -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -+----------------+--------------------------+---------+----------------------+ -| **Field Name** | **Description** | **Type**| **Comment** | -+================+==========================+=========+======================+ -| Environment | A JSON dictionary | Optional|Depends on VNF action.| -| | representing a Chef | | | -| | Environment object. If | | | -| | the VNF action requires | | | -| | loading or modifying Chef| | | -| | environment attributes | | | -| | associated with the VNF, | | | -| | all the relevant | | | -| | information must be | | | -| | provided in this JSON | | | -| | dictionary in a structure| | | -| | that conforms to a Chef | | | -| | Environment Object. | | | -+----------------+--------------------------+---------+----------------------+ -| Node | A JSON dictionary |Mandatory| | -| | representing a Chef Node | | | -| | Object. | | | -| | | | | -| | The Node JSON dictionary | | | -| | must include the run list| | | -| | to be triggered for the | | | -| | desired VNF action by the| | | -| | push job. It should also | | | -| | include any attributes | | | -| | that need to be | | | -| | configured on the Node | | | -| | Object as part of the VNF| | | -| | action. | | | -+----------------+--------------------------+---------+----------------------+ -| NodeList | Array of FQDNs that |Mandatory| | -| | correspond to the | | | -| | endpoints (VMs) of a VNF | | | -| | registered with the Chef | | | -| | Server that need to | | | -| | trigger a chef-client run| | | -| | as part of the desired | | | -| | VNF action. | | | -+----------------+--------------------------+---------+----------------------+ -| PushJobFlag | This field indicates |Mandatory| If set to “True”, | -| | whether the VNF action | | ONAP will request a | -| | requires a push Job. Push| | push job. Ignored | -| | job object will be | | otherwise. | -| | created by ONAP if | | | -| | required. | | | -+----------------+--------------------------+---------+----------------------+ -| CallbackCapable| This field indicates if | Optional| If Chef cookbook is | -| | the chef-client run | | callback capable, VNF| -| | invoked by push job | | owner is required to | -| | corresponding to the VNF | | set it to “True”. | -| | action is capable of | | Ignored otherwise. | -| | posting results on a | | | -| | callback URL. | | | -+----------------+--------------------------+---------+----------------------+ -| GetOutputFlag | Flag which indicates |Mandatory| ONAP will retrieve | -| | whether ONAP should | | output from | -| | retrieve output generated| | NodeObject attributes| -| | in a chef-client run from| | [‘PushJobOutput’] for| -| | Node object attribute | | all nodes in NodeList| -| | node[‘PushJobOutput’] for| | if set to “True”. | -| | this VNF action (e.g., in| | Ignored otherwise. | -| | Audit). | | | -+----------------+--------------------------+---------+----------------------+ - -Chef Template example: - -.. code-block:: chef - - “Environment”:{ - "name": "HAR", - "description": "VNF Chef environment for HAR", - "json\_class": "Chef::Environment", - "chef\_type": "environment", - "default\_attributes": { }, - "override\_attributes": { - “Retry\_Time”:”50”, - “MemCache”: “1024”, - “Database\_IP”:”10.10.1.5” - }, - } - } - “Node”: { - “name” : “signal.network.com “ - "chef\_type": "node", - "json\_class": "Chef::Node", - "attributes": { - “IPAddress1”: “192.168.1.2”, - “IPAddress2”:”135.16.162.5”, - “MyRole”:”BE” - }, - "override": {}, - "default": {}, - “normal”:{}, - “automatic”:{}, - “chef\_environment” : “\_default” - "run\_list": [ "configure\_signal" ] - }, - “NodeList”:[“node1.vnf\_a.onap.com”, “node2.vnf\_a.onap.com”], - “PushJobFlag”: “True” - “CallbackCapable”:True - “GetOutputFlag” : “False” - } - -The example JSON file provided by the VNF provider for each VNF action will be -turned into a template by ONAP, that can be updated with instance -specific values at run-time. - -Some points worth noting regarding the JSON fields: - -a. The JSON file must be created for each action for each VNF. - -b. If a VNF action involves multiple endpoints (VMs) of a VNF, ONAP will - replicate the “Node” JSON dictionary in the template and post it to - each FQDN (i.e., endpoint) in the NodeList after setting the “name” - field in the Node object to be the respective FQDN [1]_. Hence, it - is required that all end points (VMs) of a VNF involved in a VNF - action support the same set of Node Object attributes. - -The following table describes the JSON dictionary to post in Callback. - -Table A2. JSON Dictionary to Post in Callback -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -+--------------+----------------------------+---------+-----------------------+ -| **Key** | **Description** | **Type**| **Comment** | -+==============+============================+=========+=======================+ -| RequestId | A unique string associated |Mandatory| | -| | with the original request | | | -| | by ONAP. This key-value | | | -| | pair will be provided by | | | -| | ONAP in the environment of | | | -| | the push job request and | | | -| | must be returned as part of| | | -| | the POST message. | | | -+--------------+----------------------------+---------+-----------------------+ -| StatusCode | An integer that must be set|Mandatory| | -| | to 200 if chef-client run | | | -| | on the node finished | | | -| | successfully 500 otherwise.| | | -+--------------+----------------------------+---------+-----------------------+ -| StatusMessage| A string which must be set |Mandatory| | -| | to ‘SUCCESS’ if StatusCode | | | -| | was 200 | | | -| | | | | -| | Appropriate error message | | | -| | otherwise. | | | -+--------------+----------------------------+---------+-----------------------+ -| Name | A string which corresponds |Mandatory| | -| | to the name of the node | | | -| | where push job is run. It | | | -| | is required that the value | | | -| | be retrieved from the node | | | -| | object attributes (where it| | | -| | is always defined). | | | -+--------------+----------------------------+---------+-----------------------+ -| PushJobOutput| Any output from the |Optional | Depends on VNF action.| -| | chef-client run that needs | | If empty, it must not | -| | to be returned to ONAP. | | be included. | -+--------------+----------------------------+---------+-----------------------+ - -Ansible JSON Key Value Description -------------------------------------------------------------- - -The following provides the key value pairs that must be contained in the -JSON file supporting Ansible action. - -Table B1. Ansible JSON File key value description -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -+---------------+----------------------+---------+----------------------------+ -| **Field Name**| **Description** | **Type**| **Comment** | -+===============+======================+=========+============================+ -| PlaybookName | VNF providor must |Mandatory|Currently following | -| | list name of the | |Ansible standard | -| | playbook relative | |naming, where main | -| | path used to | |playbook is always | -| | execute the VNF | |named site.yml, and | -| | action. | |directory name where | -| | | |this main playbook resides, | -| | | |is named after the | -| | | |command/action playbook | -| | | |performs, in lower case, | -| | | |example, configure. | -+---------------+----------------------+---------+----------------------------+ -| Action | Name of VNF action. | Optional| | -+---------------+----------------------+---------+----------------------------+ -| EnvParameters | A JSON dictionary | Optional|Depends on the VNF action. | -| | which should list key| | | -| | value pairs to be | |Attribute names (variable | -| | passed to the Ansible| |names) passed to Ansible | -| | playbook. These | |shall follow Ansible valid | -| | values would | |variable names: “Variable | -| | correspond to | |names should be letters, | -| | instance specific | |numbers, and underscores. | -| | parameters that a | |Variables should always | -| | playbook may need to | |start with a letter.” | -| | execute an action. | | | -+---------------+----------------------+---------+----------------------------+ -| NodeList |Ansible inventory | Optional|If not provided, pre-loaded | -| |hosts file with | |(VNF) inventory hosts | -| |VNF groups and | |file must exist in the | -| |respective IP | |Ansible Server otherwise | -| |addresses or DNS | |request fails. | -| |supported FQDNs | | | -| |that the playbook must| | | -| |be executed against. | | | -+---------------+----------------------+---------+----------------------------+ -| FileParameters| A JSON dictionary | Optional| Depends on the VNF action | -| | where keys are | | and playbook design. | -| | filenames and values | | | -| | are contents of | | | -| | files. The Ansible | | | -| | Server will utilize | | | -| | this feature to | | | -| | generate files with | | | -| | keys as filenames and| | | -| | values as content. | | | -| | This attribute can be| | | -| | used to generate | | | -| | files that a playbook| | | -| | may require as part | | | -| | of execution. | | | -+---------------+----------------------+---------+----------------------------+ -| Timeout | Time (in seconds) | Optional| | -| | that a playbook is | | | -| | expected to take to | | | -| | finish execution for | | | -| | the VNF. If playbook | | | -| | execution time | | | -| | exceeds this value, | | | -| | Ansible Server will | | | -| | terminate the | | | -| | playbook process. | | | -+---------------+----------------------+---------+----------------------------+ - -Ansible JSON file example: - -{ - - “Action”:”Configure”, - - "PlaybookName": "<VNFCode>/<Version>/ansible/configure/site.yml", - - "NodeList": ["test1.vnf\_b.onap.com", “test2.vnf\_b.onap.com”], - - "Timeout": 60, - - "EnvParameters": {"Retry": 3, "Wait": 5, “ConfigFile”:”config.txt”}, - - “FileParameters”:{“config.txt”:”db\_ip=10.1.1.1, sip\_timer=10000”} - -} - -In the above example, the Ansible Server will: - -a. Process the “FileParameters” dictionary and generate a file named - ‘config.txt’ with contents set to the value of the ‘config.txt’ key. - -b. Execute the playbook named ‘<VNFCode>/<Version>/ansible/configure/site.yml’ - on nodes with FQDNs test1.vnf\_b.onap.com and test2.vnf\_b.onap.com - respectively while providing the following key value pairs to the playbook: - Retry=3, Wait=5, ConfigFile=config.txt - - -c. If execution time of the playbook exceeds 60 secs (across all hosts), - it will be terminated. - -VNF License Information Guidelines ------------------------------------------------------------- - -This Appendix describes the metadata to be supplied for VNF licenses. - -1. General Information - -Table C1 defines the required and optional fields for licenses. - -Table C1. Required Fields for General Information -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -+---------------+-----------------------------------+--------------+----------+ -| **Field Name**| **Description** | **Data Type**| **Type** | -+===============+===================================+==============+==========+ -| VNF Provider | The name of the VNF provider. | String | Mandatory| -| Name | | | | -+---------------+-----------------------------------+--------------+----------+ -| VNF Provider | The name of the product to which | String | Mandatory| -| Product | this agreement applies. | | | -| | | | | -| | Note: a contract/agreement may | | | -| | apply to more than one VNF | | | -| | provider product. In that case, | | | -| | provide the metadata for each | | | -| | product separately. | | | -+---------------+-----------------------------------+--------------+----------+ -| VNF Provider | A general description of VNF | String | Optional | -| Product | provider software product. | | | -| Description | | | | -+---------------+-----------------------------------+--------------+----------+ -| Export Control| ECCNs are 5-character | String | Mandatory| -| Classification| alpha-numeric designations used on| | | -| Number (ECCN) | the Commerce Control List (CCL) to| | | -| | identify dual-use items for export| | | -| | control purposes. An ECCN | | | -| | categorizes items based on the | | | -| | nature of the product, i.e. type | | | -| | of commodity, software, or | | | -| | technology and its respective | | | -| | technical parameters. | | | -+---------------+-----------------------------------+--------------+----------+ -| Reporting | A list of any reporting | List of | Optional | -| Requirements | requirements on the usage of the | strings | | -| | software product. | | | -+---------------+-----------------------------------+--------------+----------+ - -1. Entitlements - -Entitlements describe software license use rights. The use rights may be -quantified by various metrics: # users, # software instances, # units. -The use rights may be limited by various criteria: location (physical or -logical), type of customer, type of device, time, etc. - -One or more entitlements can be defined; each one consists of the -following fields: - -Table C2. Required Fields for Entitlements -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -+---------------+-----------------------------------+-------------+-----------+ -| **Field Name**| **Description** |**Data Type**| **Type** | -+===============+===================================+=============+===========+ -| VNF Provider | Identifier for the entitlement as | String | Mandatory | -| Part Number / | described by the VNF provider in | | | -| Manufacture | their price list / catalog / | | | -| Reference | contract. | | | -| Number | | | | -+---------------+-----------------------------------+-------------+-----------+ -| Description | Verbiage that describes the | String | Optional | -| | entitlement | | | -+---------------+-----------------------------------+-------------+-----------+ -| Entitlement | Each entitlement defined must be | String | Mandatory | -| Identifier | identified by a unique value (e.g.| | | -| | numbered 1, 2, 3….) | | | -+---------------+-----------------------------------+-------------+-----------+ -| Minimum Order | The minimum number of entitlements| Number | Mandatory | -| Requirement | that need to be purchased. | | | -| | For example, the entitlements must| | | -| | be purchased in a block of 100. If| | | -| | no minimum is required, the value | | | -| | will be zero. | | | -+---------------+-----------------------------------+-------------+-----------+ -| Unique | A list of any reporting | List of | Optional | -| Reporting | requirements on the usage of the | Strings | | -| Requirements | software product. (e.g.: quarterly| | | -| | usage reports are required) | | | -+---------------+-----------------------------------+-------------+-----------+ -| License Type | Type of license applicable to the | String | Mandatory | -| | software product. (e.g.: | | | -| | fixed-term, perpetual, trial, | | | -| | subscription.) | | | -+---------------+-----------------------------------+-------------+-----------+ -| License | Valid values: | String |Conditional| -| Duration | | | | -| | **year**, **quarter**, **month**, | | | -| | **day**. | | | -| | | | | -| | Not applicable when license type | | | -| | is Perpetual. | | | -+---------------+-----------------------------------+-------------+-----------+ -| License | Number of years, quarters, months,| Number |Conditional| -| Duration | or days for which the license is | | | -| Quantification| valid. | | | -| | | | | -| | Not applicable when license type | | | -| | is Perpetual. | | | -+---------------+-----------------------------------+-------------+-----------+ -| Limits | see section C.4 for possible | List | Optional | -| | values | | | -+---------------+-----------------------------------+-------------+-----------+ - -1. License Keys - -This section defines information on any License Keys associated with the -Software Product. A license key is a data string (or a file) providing a -means to authorize the use of software. License key does not provide -entitlement information. - -License Keys are not required. Optionally, one or more license keys can -be defined; each one consists of the following fields: - -Table C3. Required Fields for License Keys -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -+---------------+-----------------------------------+--------------+----------+ -| **Field Name**| **Description** | **Data Type**| **Type** | -+===============+===================================+==============+==========+ -| Description | Verbiage that describes the | String | Mandatory| -| | license key | | | -+---------------+-----------------------------------+--------------+----------+ -| License Key | Each license key defined must be | String | Mandatory| -| Identifier | identified by a unique value | | | -| | (e.g., numbered 1, 2, 3….) | | | -+---------------+-----------------------------------+--------------+----------+ -| Key Function | Lifecycle stage (e.g., | String | Optional | -| | Instantiation or Activation) at | | | -| | which the license key is applied | | | -| | to the software. | | | -+---------------+-----------------------------------+--------------+----------+ -| License Key | Valid values: | String | Mandatory| -| Type | | | | -| | **Universal, Unique** | | | -| | | | | -| | **Universal** - a single license | | | -| | key value that may be used with | | | -| | any number of instances of the | | | -| | software. | | | -| | | | | -| | **Unique**- a unique license key | | | -| | value is required for each | | | -| | instance of the software. | | | -+---------------+-----------------------------------+--------------+----------+ -| Limits | see section C.4 for possible | List | Optional | -| | values | | | -+---------------+-----------------------------------+--------------+----------+ - -1. Entitlement and License Key Limits - -Limitations on the use of software entitlements and license keys may be -based on factors such as: features enabled in the product, the allowed -capacity of the product, number of installations, etc... The limits may -generally be categorized as: - -- where (location) - -- when (time) - -- how (usages) - -- who/what (entity) - -- amount (how much) - -Multiple limits may be applicable for an entitlement or license key. -Each limit may further be described by limit behavior, duration, -quantification, aggregation, aggregation interval, start date, end date, -and threshold. - -When the limit is associated with a quantity, the quantity is relative -to an instance of the entitlement or license key. For example: - -- Each entitlement grants the right to 50 concurrent users. If 10 - entitlements are purchased, the total number of concurrent users - permitted would be 500. In this example, the limit category is - **amount**, the limit type is **users**, and the limit - **quantification** is **50.** - - Each license key may be installed on 3 devices. If 5 license keys are - acquired, the total number of devices allowed would be 15. In this - example, the limit category is **usages**, the limit type is - **device**, and the limit **quantification** is **3.** - -1. Location - -Locations may be logical or physical location (e.g., site, country). For -example: - -- use is allowed in Canada - -Table C4. Required Fields for Location -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -+------------------+--------------------------------+--------------+----------+ -| **Field Name** | **Description** | **Data Type**| **Type** | -+==================+================================+==============+==========+ -| Limit Identifier | Each limit defined for an | String | Mandatory| -| | entitlement or license key must| | | -| | be identified by a unique value| | | -| | (e.g., numbered 1,2,3…) | | | -+------------------+--------------------------------+--------------+----------+ -| Limit Description| Verbiage describing the limit. | String | Mandatory| -+------------------+--------------------------------+--------------+----------+ -| Limit Behavior | Description of the actions | String | Mandatory| -| | taken when the limit boundaries| | | -| | are reached. | | | -+------------------+--------------------------------+--------------+----------+ -| Limit Category | Valid value: **location** | String | Mandatory| -+------------------+--------------------------------+--------------+----------+ -| Limit Type | Valid values: **city, county, | String | Mandatory| -| | state, country, region, MSA, | | | -| | BTA, CLLI** | | | -+------------------+--------------------------------+--------------+----------+ -| Limit List | List of locations where the VNF| List of | Mandatory| -| | provider Product can be used or| String | | -| | needs to be restricted from use| | | -+------------------+--------------------------------+--------------+----------+ -| Limit Set Type | Indicates if the list is an | String | Mandatory| -| | inclusion or exclusion. | | | -| | | | | -| | Valid Values: | | | -| | | | | -| | **Allowed** | | | -| | | | | -| | **Not allowed** | | | -+------------------+--------------------------------+--------------+----------+ -| Limit | The quantity (amount) the limit| Number | Optional | -| Quantification | expresses. | | | -+------------------+--------------------------------+--------------+----------+ - -1. Time - -Limit on the length of time the software may be used. For example: - -- license key valid for 1 year from activation - -- entitlement valid from 15 May 2018 thru 30 June 2020 - -Table C5. Required Fields for Time -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -+------------------+-------------------------------+--------------+-----------+ -| **Field Name** | **Description** | **Data Type**| **Type** | -+==================+===============================+==============+===========+ -| Limit Identifier | Each limit defined for an | String | Mandatory | -| | entitlement or license key | | | -| | must be identified by a unique| | | -| | value (e.g., numbered) | | | -+------------------+-------------------------------+--------------+-----------+ -| Limit Description| Verbiage describing the limit.| String | Mandatory | -+------------------+-------------------------------+--------------+-----------+ -| Limit Behavior | Description of the actions | String | Mandatory | -| | taken when the limit | | | -| | boundaries are reached. | | | -| | | | | -| | The limit behavior may also | | | -| | describe when a time limit | | | -| | takes effect. (e.g., key is | | | -| | valid for 1 year from date of | | | -| | purchase). | | | -+------------------+-------------------------------+--------------+-----------+ -| Limit Category | Valid value: **time** | String | Mandatory | -+------------------+-------------------------------+--------------+-----------+ -| Limit Type | Valid values: | String | Mandatory | -| | **duration, date** | | | -+------------------+-------------------------------+--------------+-----------+ -| Limit List | List of times for which the | List of | Mandatory | -| | VNF Provider Product can be | String | | -| | used or needs to be restricted| | | -| | from use | | | -+------------------+-------------------------------+--------------+-----------+ -| Duration Units | Required when limit type is | String |Conditional| -| | duration. Valid values: | | | -| | **perpetual, year, quarter, | | | -| | month, day, minute, second, | | | -| | millisecond** | | | -+------------------+-------------------------------+--------------+-----------+ -| Limit | The quantity (amount) the | Number | Optional | -| Quantification | limit expresses. | | | -+------------------+-------------------------------+--------------+-----------+ -| Start Date | Required when limit type is | Date | Optional | -| | date. | | | -+------------------+-------------------------------+--------------+-----------+ -| End Date | May be used when limit type is| Date | Optional | -| | date. | | | -+------------------+-------------------------------+--------------+-----------+ - -1. Usage - -Limits based on how the software is used. For example: - -- use is limited to a specific sub-set of the features/capabilities the - software supports - -- use is limited to a certain environment (e.g., test, development, - production…) - -- use is limited by processor (vm, cpu, core) - -- use is limited by software release - -Table C6. Required Fields for Usage -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -+------------------+-------------------------------+---------------+----------+ -| **Field Name** | **Description** | **Data Type** | **Type** | -+==================+===============================+===============+==========+ -| Limit Identifier | Each limit defined for an | String | Mandatory| -| | entitlement or license key | | | -| | must be identified by a unique| | | -| | value (e.g., numbered) | | | -+------------------+-------------------------------+---------------+----------+ -| Limit Description| Verbiage describing the limit.| String | Mandatory| -+------------------+-------------------------------+---------------+----------+ -| Limit Behavior | Description of the actions | String | Mandatory| -| | taken when the limit | | | -| | boundaries are reached. | | | -+------------------+-------------------------------+---------------+----------+ -| Limit Category | Valid value: **usages** | String | Mandatory| -+------------------+-------------------------------+---------------+----------+ -| Limit Type | Valid values: **feature, | String | Mandatory| -| | environment, processor, | | | -| | version** | | | -+------------------+-------------------------------+---------------+----------+ -| Limit List | List of usage limits (e.g., | List of String| Mandatory| -| | test, development, vm, core, | | | -| | R1.2.1, R1.3.5…) | | | -+------------------+-------------------------------+---------------+----------+ -| Limit Set Type | Indicates if the list is an | String | Mandatory| -| | inclusion or exclusion. | | | -| | | | | -| | Valid Values: | | | -| | | | | -| | **Allowed** | | | -| | | | | -| | **Not allowed** | | | -+------------------+-------------------------------+---------------+----------+ -| Limit | The quantity (amount) the | Number | Optional | -| Quantification | limit expresses. | | | -+------------------+-------------------------------+---------------+----------+ - -1. Entity - -Limit on the entity (product line, organization, customer) allowed to -make use of the software. For example: - -- allowed to be used in support of wireless products - -- allowed to be used only for government entities - -Table C7. Required Fields for Entity -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -+------------------+--------------------------------+--------------+----------+ -| **Field Name** | **Description** |**Data Type** | **Type** | -+==================+================================+==============+==========+ -| Limit Identifier | Each limit defined for an | String | Mandatory| -| | entitlement or license key must| | | -| | be identified by a unique value| | | -| | (e.g., numbered) | | | -+------------------+--------------------------------+--------------+----------+ -| Limit Description| Verbiage describing the limit. | String | Mandatory| -+------------------+--------------------------------+--------------+----------+ -| Limit Behavior | Description of the actions | String | Mandatory| -| | taken when the limit boundaries| | | -| | are reached. | | | -+------------------+--------------------------------+--------------+----------+ -| Limit Category | Valid value: **entity** | String | Mandatory| -+------------------+--------------------------------+--------------+----------+ -| Limit Type | Valid values: **product line, | String | Mandatory| -| | organization, internal | | | -| | customer, external customer** | | | -+------------------+--------------------------------+--------------+----------+ -| Limit List | List of entities for which the |List of String| Mandatory| -| | VNF Provider Product can be | | | -| | used or needs to be restricted | | | -| | from use | | | -+------------------+--------------------------------+--------------+----------+ -| Limit Set Type | Indicates if the list is an | String | Mandatory| -| | inclusion or exclusion. | | | -| | | | | -| | Valid Values: | | | -| | | | | -| | **Allowed** | | | -| | | | | -| | **Not allowed** | | | -+------------------+--------------------------------+--------------+----------+ -| Limit | The quantity (amount) the limit| Number | Optional | -| Quantification | expresses. | | | -+------------------+--------------------------------+--------------+----------+ - -1. Amount - -These limits describe terms relative to utilization of the functions of -the software (for example, number of named users permitted, throughput, -or capacity). Limits of this type may also be relative to utilization of -other resources (for example, a limit for firewall software is not based -on use of the firewall software, but on the number of network -subscribers). - -The metadata describing this type of limit includes the unit of measure -(e.g., # users, # sessions, # MB, # TB, etc.), the quantity of units, -any aggregation function (e.g., peak or average users), and aggregation -interval (day, month, quarter, year, etc.). - -Table C8. Required Fields for Amount -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -+------------------+---------------------------------+-------------+----------+ -| **Field Name** | **Description** |**Data Type**| **Type** | -+==================+=================================+=============+==========+ -| Limit Identifier | Each limit defined for an | String | Mandatory| -| | entitlement or license key must | | | -| | be identified by a unique value | | | -| | (e.g., numbered) | | | -+------------------+---------------------------------+-------------+----------+ -| Limit Description| Verbiage describing the limit. | String | Mandatory| -+------------------+---------------------------------+-------------+----------+ -| Limit Behavior | Description of the actions taken| String | Mandatory| -| | when the limit boundaries are | | | -| | reached. | | | -+------------------+---------------------------------+-------------+----------+ -| Limit Category | Valid value: **amount** | String | Mandatory| -+------------------+---------------------------------+-------------+----------+ -| Limit Type | Valid values: **trunk, user, | String | Mandatory| -| | subscriber, session, token, | | | -| | transactions, seats, KB, MB, TB,| | | -| | GB** | | | -+------------------+---------------------------------+-------------+----------+ -| Type of | Is the limit relative to | String | Mandatory| -| Utilization | utilization of the functions of | | | -| | the software or relative to | | | -| | utilization of other resources? | | | -| | | | | -| | Valid values: | | | -| | | | | -| | - **software functions** | | | -| | | | | -| | - **other resources** | | | -+------------------+---------------------------------+-------------+----------+ -| Limit | The quantity (amount) the limit | Number | Optional | -| Quantification | expresses. | | | -+------------------+---------------------------------+-------------+----------+ -| Aggregation | Valid values: **peak, average** | String | Optional | -| Function | | | | -+------------------+---------------------------------+-------------+----------+ -| Aggregation | Time period over which the | String | Optional | -| Interval | aggregation is done (e.g., | | | -| | average sessions per quarter). | | | -| | Required when an Aggregation | | | -| | Function is specified. | | | -| | | | | -| | Valid values: **day, month, | | | -| | quarter, year, minute, second, | | | -| | millisecond** | | | -+------------------+---------------------------------+-------------+----------+ -| Aggregation | Is the limit quantity applicable| String | Optional | -| Scope | to a single entitlement or | | | -| | license key (each separately)? | | | -| | Or may the limit quantity be | | | -| | combined with others of the same| | | -| | type (resulting in limit amount | | | -| | that is the sum of all the | | | -| | purchased entitlements or | | | -| | license keys)? | | | -| | | | | -| | Valid values: | | | -| | | | | -| | - **single** | | | -| | | | | -| | - **combined** | | | -+------------------+---------------------------------+-------------+----------+ -| Type of User | Describes the types of users of | String | Optional | -| | the functionality offered by the| | | -| | software (e.g., authorized, | | | -| | named). This field is included | | | -| | when Limit Type is user. | | | -+------------------+---------------------------------+-------------+----------+ - -TOSCA model ------------------------------ - -Table D1. ONAP Resource DM TOSCA/YAML constructs -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Standard TOSCA/YAML definitions agreed by VNF SDK Modeling team to be used by -VNF vendors to create a standard VNF descriptor. - -All definitions are summarized in the table below based on the agreed ONAP -Resource DM TOSCA/YAML constructs for Beijing. Their syntax is specified in -ETSI GS NFV-SOL001 stable draft for VNF-D. - -+------------+------------------------------+---------------------------------+ -| Requirement| Resource IM Info Elements | TOSCA Constructs as per SOL001 | -| Number | | | -+============+==============================+=================================+ -| R-02454 | VNFD.vnfSoftwareVersion | For VDU.Compute - | -| | | tosca.artifacts.nfv.SwImage | -| | | | -| | SwImageDesc.Version | For Virtual Storage - | -| | | tosca.artifacts.Deployment.Image| -+------------+------------------------------+---------------------------------+ -| R-03070 | vnfExtCpd's with virtual | tosca.nodes.nfv.VnfExtCp with a | -| | NetworkInterfaceRequirements | property tosca.datatypes.nfv.\ | -| | (vNIC) | VirtualNetworkInterface\ | -| | | Requirements | -+------------+------------------------------+---------------------------------+ -| R-09467 | VDU.Compute descriptor | tosca.nodes.nfv.Vdu.Compute | -+------------+------------------------------+---------------------------------+ -| R-16065 | VDU.Compute. Configurable | tosca.datatypes.nfv.Vnfc | -| | Properties | ConfigurableProperties | -+------------+------------------------------+---------------------------------+ -| R-30654 | VNFD.lifeCycleManagement | Interface construct tosca.\ | -| | Script - IFA011 LifeCycle\ | interfaces.nfv.vnf.lifecycle.Nfv| -| | ManagementScript | with a list of standard LCM | -| | | operations | -+------------+------------------------------+---------------------------------+ -| R-35851 | CPD: VduCp, VnfExtCp, | tosca.nodes.nfv.VduCp, tosca.\ | -| | VnfVirtualLinkDesc, QoS | nodes.nfv.VnfVirtualLink, | -| | Monitoring info element - | tosca.nodes.nfv.VnfExtCp | -| | TBD | | -+------------+------------------------------+---------------------------------+ -| R-41215 | VNFD/VDU Profile and scaling | tosca.datatypes.nfv.VduProfile | -| | aspect | and tosca.datatypes.nfv.\ | -| | | ScalingAspect | -+------------+------------------------------+---------------------------------+ -| R-66070 | VNFD meta data | tosca.datatypes.nfv. | -| | | VnfInfoModifiableAttributes - | -| | | metadata? | -+------------+------------------------------+---------------------------------+ -| R-96634 | VNFD.configurableProperties | tosca.datatypes.nfv.Vnf\ | -| | describing scaling | ConfigurableProperties, | -| | characteristics. VNFD.\ | tosca.datatypes.nfv.ScaleInfo | -| | autoscale defines the rules | | -| | for scaling based on specific| | -| | VNF indications | | -+------------+------------------------------+---------------------------------+ -| ? | VDU Virtual Storage | tosca.nodes.nfv.Vdu.\ | -| | | VirtualStorage | -+------------+------------------------------+---------------------------------+ -| R-01478 | Monitoring Info Element (TBD)| tosca.capabilities.nfv.Metric - | -| | - SOL001 per VNF/VDU/VLink | type for monitoring | -| R-01556 | memory-consumption, | | -| | CPU-utilization, | monitoring_parameter of above | -| | bandwidth-consumption, VNFC | type per VNF/VDU/VLink | -| | downtime, etc. | | -+------------+------------------------------+---------------------------------+ - - -Table D2. TOSCA CSAR structure -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -This section defines the requirements around the CSAR structure. - -The table below describes the numbered requirements for CSAR structure as -agreed with SDC. The format of the CSAR is specified in SOL004. - -+------------+-------------------------------------+--------------------------+ -| Requirement| Description | CSAR artifact directory | -| Number | | | -+============+=====================================+==========================+ -| R-26881 | The VNF provider MUST provide the | ROOT\\Artifacts\ | -| | binaries and images needed to | \\VNF_Image.bin | -| | instantiate the VNF (VNF and VNFC | | -| | images). | | -+------------+-------------------------------------+--------------------------+ -| R-30654 | VNFD.lifeCycleManagementScript that | ROOT\\Artifacts\ | -| | includes a list of events and | \\Informational\ | -| | corresponding management scripts | \\Install.csh | -| | performed for the VNF - SOL001 | | -+------------+-------------------------------------+--------------------------+ -| R-35851 | All VNF topology related definitions| ROOT\\Definitions\ | -| | in yaml files VNFD/Main Service | \\VNFC.yaml | -| | template at the ROOT | | -| | | ROOT\ | -| | | \\MainService\ | -| | | \\Template.yaml | -+------------+-------------------------------------+--------------------------+ -| R-40827 | CSAR License directory - SOL004 | ROOT\\Licenses\ | -| | | \\License_term.txt | -+------------+-------------------------------------+--------------------------+ -| R-77707 | CSAR Manifest file - SOL004 | ROOT\ | -| | | \\MainServiceTemplate.mf | -+------------+-------------------------------------+--------------------------+ - - Requirement List -------------------------------- @@ -944,7 +66,7 @@ high packets/sec performance. High packet throughput is defined as greater than 500K packets/sec. R-54430 The VNF **MUST** use the NCSP’s supported library and compute -flavor that supports DPDK to optimize network efficiency if using DPDK. [5]_ +flavor that supports DPDK to optimize network efficiency if using DPDK. [4]_ R-18864 The VNF **MUST** NOT use technologies that bypass virtualization layers (such as SR-IOV) unless approved by the NCSP (e.g., if necessary @@ -1783,9 +905,9 @@ Cloud will continue to rapidly evolve and the underlying components of the platform will change regularly. R-33846 The VNF **MUST** install the NCSP required software on Guest OS -images when not using the NCSP provided Guest OS images. [5]_ +images when not using the NCSP provided Guest OS images. [4]_ -R-09467 The VNF **MUST** utilize only NCSP standard compute flavors. [5]_ +R-09467 The VNF **MUST** utilize only NCSP standard compute flavors. [4]_ R-02997 The VNF **MUST** preserve their persistent data. Running VMs will not be backed up in the Network Cloud infrastructure. @@ -1812,14 +934,14 @@ troubleshooting. R-39650 The VNF **SHOULD** provide the ability to test incremental growth of the VNF. -R-14853 The VNF **MUST** respond to a "move traffic" [2]_ command +R-14853 The VNF **MUST** respond to a "move traffic" [1]_ command against a specific VNFC, moving all existing session elsewhere with minimal disruption if a VNF provides a load balancing function across multiple instances of its VNFCs. Note: Individual VNF performance aspects (e.g., move duration or disruption scope) may require further constraints. -R-06327 The VNF **MUST** respond to a "drain VNFC" [2]_ command against +R-06327 The VNF **MUST** respond to a "drain VNFC" [1]_ command against a specific VNFC, preventing new session from reaching the targeted VNFC, with no disruption to active sessions on the impacted VNFC, if a VNF provides a load balancing function across multiple instances of its VNFCs. @@ -3373,7 +2495,7 @@ R-60656 The xNF **MUST** support sub tree filtering. R-80898 The xNF **MUST** support heartbeat via a <get> with null filter. R-25238 The xNF PACKAGE **MUST** validated YANG code using the open -source pyang [3]_ program using the following commands: +source pyang [2]_ program using the following commands: R-63953 The xNF **MUST** have the echo command return a zero value otherwise the validation has failed @@ -3512,7 +2634,7 @@ Server regardless of whether the Callback succeeded or not. R-32217 The xNF **MUST** have routable FQDNs that are reachable via the Ansible Server for the endpoints (VMs) of a xNF on which playbooks will be executed. ONAP will initiate requests to the Ansible Server -for invocation of playbooks against these end points [4]_. +for invocation of playbooks against these end points [3]_. R-54373 The xNF **MUST** have Python >= 2.6 on the endpoint VM(s) of a xNF on which an Ansible playbook will be executed. @@ -3541,7 +2663,7 @@ R-40293 The xNF **MUST** make available playbooks that conform to the ONAP requirement. R-49396 The xNF **MUST** support each ONAP (APPC) xNF action by invocation -of **one** playbook [7]_. The playbook will be responsible +of **one** playbook [6]_. The playbook will be responsible for executing all necessary tasks (as well as calling other playbooks) to complete the request. @@ -3597,7 +2719,7 @@ model, format and mechanisms described in this section. R-19624 The xNF **MUST** encode and serialize content delivered to ONAP using JSON (RFC 7159) plain text format. High-volume data is to be encoded and serialized using `Avro <http://avro.apache.org/>`_, -where the Avro [6]_ data format are described using JSON. +where the Avro [5]_ data format are described using JSON. Note: @@ -3743,731 +2865,24 @@ Information (SPI) or certain proprietary data, in addition to applying the regular procedures for securing access and delivery. -Ansible Playbook Examples ------------------------------------------------ - -The following sections contain examples of Ansible playbooks -which follow the guidelines. - -Guidelines for Playbooks to properly integrate with APPC -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -NOTE: To support concurrent requests to multiple VNF instances of same -or different type, VNF hosts and other files with VNF specific default -values are kept or created in separate directories. - -Example of an Ansible command (after pwd) to run playbook again -vfdb9904v VNF instance: - -.. code-block:: none - - $ pwd - /storage/vfdb/V16.1/ansible/configure - $ ansible-playbook -i ../inventory/vfdb9904vhosts site.yml --extra-vars "vnf_instance=vfdb9904v" - - NOTE: To preserve Ansible inventory/group_vars capability, that makes - group_vars contents global variables available to all playbooks, when they - reside in the inventory directory, guidelines are being updated to name the - VNF inventory hosts file as (a flat file) <VNFName>hosts, stored in the - inventory directory, not a subdirectory under inventory. In the above - example: vfdb9904vhosts (removed / VNF name and hosts vfdb9904/vhosts) - -Example of corresponding APPC API Call from ONAP – Ansible Server -Specifications: - -An example of a curl request simulating a Rest API POST requesting execution -of configure Playbook (using playbook relative path): - -.. code-block:: none - - curl -u APIUser:APIPassword -H "Content-type:application/json" -X POST - -d '{"Id": "8412", "PlaybookName": "vfdb/V5.x.x/ansible/configure/site.yml", - "Timeout":"600", "EnvParameters": { "vnf_instance": "vfdb9904v" }}' - http://ansible.server.com:5000/Dispatch - -Rest API GET request to obtain response/results for prior request -(same Id as POST request above): - -.. code-block:: none - - curl -u APIUser:APIPassword -H 'Content-type: application/json' -X GET - 'http://ansible.server.com:5000/Dispatch/?Id=8412&Type=GetResult' - -Comments: - -- An ID number is assigned to each request. This ID number is used to - track request down to completion and provide status to APPC when - requested. - -- Playbook Name relative path provided in the request as PlaybookName - -- Ansible Server Rest API is aware of playbook’s root directory which may - vary from instance to instance or Ansible Server cluster to cluster. - -Ansible Playbooks will use the VNF instance name (passed using ---extra-vars "vnf\_instance=vfdb9904v") to identify other default values -to run the playbook(s) against the target VNF instance. Same example as -above: - -.. code-block:: none - - $ ansible-playbook -i ../inventory/vfdb9904vhosts site.yml --extra-vars "vnf_instance=vfdb9904v" - -Each Ansible Server or cluster is assigned its own identification to be used -to authenticate to VNF VMs using Ansible Server or cluster specific set of -SSH keys that may be rotated regularly. Here hosts file, no longer referencing -file with SSH key credentials, to run ansible-playbook listed in this example -above (IP addresses were scrubbed): - -.. code-block:: none - - $ more ../inventory/vfdb9904v/hosts - [host] - localhost ansible_connection=local - - [oam] - 1xx.2yy.zzz.109 - 1xx.2yy.zzz.110 - - [rdb] - 1xx.2yy.zzz.105 - 1xx.2yy.zzz.106 - -NOTE: APPC requests to run Playbooks/Cookbooks are specific to a VNF, -but could be more limited to one VM or one type of VM by the request -parameters. Actions that may impact a site (LCP), a service, or an -entire platform must be orchestrated by MSO in order to execute requests -via APPC which then invoke VNF level playbooks. Playbooks that impact -more than a single VNF are not the current focus of these guidelines. - -Since last release of these guidelines, based on recent learnings, -moving VNF Type global variables under inventory/group_vars files, this -way variables and respective values are available to all playbooks without -being explicitly referenced though an include statement. Also creating -templates that are VNF Type specific, but moving away from static files -that are VNF instance specific, working to obtain VNF instance specific -from other sources, inventory database, etc. - -And here the scrubbed default arguments for this VNF instance(originated -from previously re-factored playbooks now being phased out): - -.. code-block:: none - - vnf_instance=vfdb9904v - - $ more ../vars/vfdb9904v/default_args.yml - vm_config_oam_vnfc_name: vfdb9904vm001oam001 - vm_config_oam_hostname: vfdb9904vm001 - vm_config_oam_provider_ip_address: 1xx.2yy.zzz.109 - … - -IMPORTANT: The APPC and default file attribute name for -vm\_config\_oam\_vnfc\_name, as an example, is derived from vm\_config -array structure (list) in the CSAR package ENV file, with dots replaced -by underscore: - -.. code-block:: none - - vm_config: - - oam: {vnfc_name: {{ vm_config_oam_vnfc_name }}, hostname: {{ - vm_config_oam_hostname }}, provider_ip_address: {{ - vm_config_oam_provider_ip_address } - }, - … - -Parameters like VNF names, VNFC names, OA&M IP addresses, after -February, 2018 ONAP release, will be extracted from A&AI by APPC and -then passed down to Ansible Server, as part of APPC request through REST -API. In the meantime, VNF instance specific required values, will -be stored on VNF instance directory, default arguments file and will be -used as defaults. For parameterized playbooks attribute-value pairs -passed down by APPC to Ansible Server always take precedence over -template or VNF instance specific defaults stored in defaults file(s). - -.. code-block:: none - - $ pwd - /storage/vfdb/latest/ansible - Again, originated from previously re-factored playbooks now being phased out: - - $ more vars/vfdb9904v/default_args.yml - - vm_config_oam1_vnfc_name: vfdb9904vm001oam001 - vm_config_oam1_hostname: vfdb9904vm001 - vm_config_oam1_provider_ip_address: 1xx.2yy.zzz.109 - - vm_config_oam2_vnfc_name: vfdb9904vm002oam001 - vm_config_oam2_hostname: vfdb9904vm002 - vm_config_oam2_provider_ip_address: 1xx.2yy.zzz.110 - - vm_config_rdb1_vnfc_name: vfdb9904vm003rdb001 - vm_config_rdb1_hostname: vfdb9904vm003 - vm_config_rdb1_provider_ip_address: 1xx.2yy.zzz.105 - - vm_config_rdb2_vnfc_name: vfdb9904vm004rdb001 - vm_config_rdb2_hostname: vfdb9904vm004 - vm_config_rdb2_provider_ip_address: 1xx.2yy.zzz.106 - - vm_config_rdb3_vnfc_name: vfdb9904vm005rdb001 - vm_config_rdb3_hostname: vfdb9904vm005 - vm_config_rdb3_provider_ip_address: 1xx.2yy.zzz.xxx - - vm_config_rdb4_vnfc_name: vfdb9904vm006rdb001 - vm_config_rdb4_hostname: vfdb9904vm006 - vm_config_rdb4_provider_ip_address: 1xx.2yy.zzz.yyy - -One of the first tasks on the Ansible Playbooks is to combine the VNF -type generic template, derived from ENV files in CSAR or other files, -with these default values stored on the Ansible Server, together with -the overriding parameters passed down from APPC, to create the VNF -instance specific set of attribute-value pairs to be used for the run, in -INI format. Here is an excerpt from such a file that should look -somewhat similar to ENV files: - -.. code-block:: none - - $ more tmp/vfdb9904v/all.yml - - deployment_prefix: vfdb9904v - … - timezone: Etc/UTC - … - template_version: '2014-10-16' - stack_name: vfdb9904v - c3dbtype: OAM - stackName: vfdb9904v - juno_base: true - … - -# logins list contain 'login name', 'login group', 'login password' - -.. code-block:: none - - logins: - - { name: 'm99999', group: 'm99999', password: 'abcdefgha' } - - { name: 'gsuser', group: 'gsuser', password: ' abcdefgha' } - - { name: 'peruser', group: 'peruser', password: ' abcdefgha' } - - { name: 'dbuser', group: 'dbuser', password: ' abcdefgha' } - -NOTE: Arguments passed by APPC to Ansible Server to run a playbook take -precedence over any defaults stored in Ansible Server. - -Ansible Playbooks – Notes On Artifacts Required to Run Playbooks -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Inventory hosts file: should be VNF instance specific. - -Default variables: should be VNF instance specific. - -NOTE: Some playbooks may rely on inventory directory contents to target -the collection of VNFs in the Services Platform supported through -Ansible. - -Playbooks and paths to referenced files: Playbooks shall not use -absolute paths in include or import entries (variables or playbooks) or -other types of references. - -For this to work properly, when running playbooks, the directory where -the main playbook resides shall be the current directory. - -Playbook imports, when used, shall use paths relative to the main -playbook directory. - -Root directory named ansible - Any files provided with playbooks, -included, imported, or referenced by playbooks, shall reside under the ansible -playbooks (root) directory, containing all playbook subdirectories, or -below that ansible root directory, in other subdirectories to support -on-boarding and portability of VNF collection of playbooks and related -artifacts. - -Designing for a shared environment, concurrently running playbooks, -targeting multiple VNF instances – inventory hosts file: - -To avoid inventory hosts file overwrites or collisions between multiple -concurrently running VNF instance requests, chosen approach is for each -VNF instance hosts file, to be stored under the Ansible Server Playbooks -root directory, under the inventory subdirectory, and under a directory -for each VNF instance, named after the VNF instance, as follows: - -ansible/inventory/<VNF\_instance\_name>/hosts - -Example of inventory hosts file path, relative to ansible playbooks root -directory (playbooks\_dir): ansible/inventory/vnfx0001v/hosts - -**Designing for a shared environment, concurrently running multiple playbooks, -targeting multiple VNF instances – default argument variables for -specific VNF instances:** - -Files containing attribute name value pairs (variable name and default -values), referenced/included by playbooks – Files containing VNF -instance specific default values – in a later APPC release, some or all -the default attribute value pairs contained in the defaults file, may be -passed down by APPC, to the Ansible Server, overriding these defaults: - -VNF instance specific files -referenced/included by playbooks, containing default values, example, -default\_args.yml, shall be stored under a directory with VNF instance -name on the path. - -Example: - -ansible/vars/<VNF\_instance\_name>/default\_args.yml - -Example of include statement: - -- include_vars: ../vars/{{ vnf_instance }}/default_args.yml - -Again, this was originated from previously re-factored playbooks, now being -phased out, to move away from having to create VNF instance specific files -with VNF instance default variables. Moving to extract these values from -inventory databases and provide them to Ansible Server as part of the APPC -request, but may be used in a transition from having everything stored in the -Ansible Server to APPC extracting and providing VNF instance specific -attribute-value pairs to the Ansible Server as part of the request. - -Files containing attribute name value pairs (variable name and default -values), referenced/included by playbooks – created dynamically by -playbooks: - -To avoid -overwrites or collisions of multiple concurrently running VNF instance -requests, files created dynamically by playbooks, based on VNF generic -templates, combined with default values and arguments passed down by -APPC (as part of the request), shall be stored under a directory with -VNF instance name on the path. - -Example: - -tmp/<VNF\_instance\_name>/all.yml - -Files containing site specific (Openstack location non-instance -specific) attribute name value pairs, like NTP server and DNS server’s -IP addresses and other parameters, referenced/included by playbooks, not -VNF specific – Could/should be stored under inventory/group_vars directory, -in a subdirectory named after the string used to identify the site (nyc1, -lax2,…). - -Examples: - -ansible/inventory/group_vars/<Site> - -ansible/inventory/group_vars/nyc1 - -ansible/inventory/group_vars/lax2 - - -\ **Ansible Server Design - Directory Structure** - -To help understanding the contents of this section, here are few basic -definitions: - -**VNF type a.k.a VNF Function Code** - Based on current Services -Platform naming convention, each Virtual Network Function is assigned a -4 character string (example vfdb), these are 4 characters in -the VNF instance name, followed by (4) numbers, ending in a "v", but the -naming convention is evolving. VNF instance name in -some cases corresponds to the stack name for the VNF when VNF instance -is built based on a single module, single stack. Example of VNF instance -name: vfdb9904v. All VNF performing this function, running the same -software, coming from the same VNF provider will have the same 4 -characters in the VNF instance name, in this example, vfdb. - -NOTE: New naming convention includes a prefix indicating geographical -location where VNF is instantiated. - -VNF type, determined through these 4 characters, is also known as VNF -Function Code and is assigned by inventory team. All Services Platform -VNF Function Codes can be found in inventory database and/or A&AI as -well as Services Platform Network Design Documents. - -Version – As in VNF software version is the release of the software -running on the VNF for which the playbooks were developed. VNF -configuration steps may change from release to release and this -<Version> in the path will allow the Ansible Server to host playbooks -associated with each software release. And run the playbooks that match -the software release running on each VNF instance. APPC initially will -not support playbook versioning only latest playbook is supported or a hard -coded version that later should become a variable to allow multiple -actively in use playbook versions according to VNF release. - -Playbook Function - Is a name associated with a life cycle management -task(s) performed by the playbook(s) stored in this directory. It should -clearly identify the type of action(s) performed by the main playbook -and possibly other playbooks stored in this same directory. Ideally, -playbook function would match APPC corresponding command or function that -is performed by the main playbook in this directory. Following Ansible naming -standards main playbook is usually named site.yml. There can be other -playbooks on the same directory that use a subset of the roles used by the -main playbook site.yml. Examples of Playbook Function directory names: - -- configure – Contains post-instantiation (bulk) configuration - playbooks, roles,… - -- healthcheck – Contains VNF health check playbook(s), roles,… - -- stop – Contains VNF application stop (stopApplication) playbook(s), - roles,… - -- start – Contains VNF application start (startApplication) playbook(s), - roles,… - -Directory structure to allow hosting multiple version sets of playbooks, -for the same VNF type, to be hosted in the runtime environment on the -Ansible Servers. Generic directory structure: - -Ansible Playbooks – Function directory and main playbook: - -.. code-block:: none - - <VNF type>/<Version>/ansible/<Playbook Function>/site.yml - -Example – Post-instantiation (bulk) configuration –APPC Function - -Configure: - -.. code-block:: none - - <VNF type>/<Version>/ansible/configure/site.yml - -Example – Post-instantiation (bulk) configuration –APPC Function -– Configure – VNF software version 16.1: - -.. code-block:: none - - vfdb/V16.1/ansible/configure/site.yml - -Example – Health-check –APPC Function - HealthCheck: - -.. code-block:: none - - <VNF type>/<Version>/ansible/healthcheck/site.yml - -OR (Function directory name does not need to match APPC function name) - -.. code-block:: none - - <VNF type>/<Version>/ansible/check/site.yml - -Ansible Directories for other artifacts – VNF inventory hosts file - -Required: - -.. code-block:: none - - <VNF type>/<Version>/ansible/inventory/<VNF instance name>hosts - -Ansible Directories for other artifacts – VNF instance specific default -arguments – Optional: - -.. code-block:: none - - <VNF type>/<Version>/ansible/group_vars/<VNF instance name> - -NOTE: This requirement is expected to be deprecated all or in part in the -future, for automated actions, once APPC can pass down all VNF specific -arguments for each action. Requirement remains while manual actions are -to be supported. Other automated inventory management mechanisms may be -considered in the future, Ansible supports many automated inventory -management mechanisms/tools/solutions. - -Ansible Directories for other artifacts – VNF (special) groups – -Optional: - -.. code-block:: none - - <VNF type>/<Version>/ansible/inventory/group_vars/<VNF instance name> - -NOTE: Default groups will be created based on VNFC type, 3 characters, -on VNFC name. Example: “oam”, “rdb”, “dbs”, “man”, “iox”, “app”,… - -Ansible Directories for other artifacts – VNF (special) other files – -Optional – Example – License file: - -.. code-block:: none - - <VNF type>/<Version>/ansible/<Other directory(s)> - -CAUTION: On referenced files used/required by playbooks. - -- To avoid missing files, during on-boarding or uploading of Ansible - Playbooks and related artifacts, all permanent files (not generated - by playbooks as part of execution), required to run any playbook, - shall reside under the ansible root directory or below on other - subdirectories. - -- Any references to files, on includes or other playbook entries, shall - use relative paths. - -- This is the ansible (root) directory referenced on this - note (Ansible Server mount point not included): - -.. code-block:: none - - <VNF type>/<Version>/ansible/ - -There will be a soft link to the latest set of Ansible Playbooks for -each VNF type. - -VNF type directories use A&AI inventory VNF function code. Ansible -Playbooks will be stored on a Cinder Volume mounted on the Ansible -Servers as /storage. Example: - -/storage/vfdb/latest/ansible – This soft link point to the latest set of -playbooks (or the only set) - -/storage/vfdb/V16.1/ansible – Root directory for database VNF Ansible -Playbooks for release 16.1 - -CAUTION: To support this directory structure as the repository to store -Ansible Playbooks run by APPC, APPC API in the Ansible Server side needs -to be configured to run playbooks from directory, not MySQL database. - -Ansible Server HTTP will be configured to support APPC REST API requests -to run playbooks as needed, against specific VNF instances, or specific -VM(s) as specified in the request. - -ONAP APPC REST API to Ansible Server is documented separately and can be -found under ONAP (onap.org). - -**Ansible Server – On-boarding Ansible Playbooks** - -Once playbooks are developed following the guidelines listed in prior -section(s), playbooks need to be on-boarded onto Ansible Server(s). In -the future, they’ll be on-boarded and distributed through ONAP, at least -that is the proposed plan, but for now they need to be uploaded -manually. There is work in progress to use a Git as the playbook -repository to store and track playbooks by version, version control. - -These are the basic steps to on-board playbooks manually onto the -Ansible Server. - -1. Upload CSAR, zip, or tar file containing VNF playbooks and related - artifacts. - -2. Create full directory (using –p option below) to store Ansible - Playbooks and other artifacts under /storage (or other configured) - file system. - - a. Includes VNF type using VNF function code 4 characters under - /storage. - - b. Includes VNF “Version” directory as part of the path to store - playbooks for this VNF version. - - c. Include generic ansible root directory. Creating full directory - path as an example: - -.. code-block:: none - - $ mkdir –p /storage/vfdb/V16.1/ansible**/** - -3. Make this directory (VNF ansible root directory) current directory - for next few steps: - -.. code-block:: none - - cd /storage/vfdb/V16.1/ansible/ - -4. Extract Ansible Playbooks and other Ansible artifacts associated with - the playbooks onto the ansible directory. Command depends on the type - of file uploaded, examples would be: - -.. code-block:: none - - tar xvf .. - unzip … - bunzip .. - -5. Create VNF inventory hosts file with all VMs and - OA&M IP addresses for all VNF instances with known OA&M IP addresses - for respective VMs, example: - -.. code-block:: none - - $ mkdir inventory - - $ touch inventory/vfdb9904vhosts - - $ cat inventory/vfdb9904vhosts - - [host] - localhost ansible\_connection=local - - [oam] - 1xx.2yy.zzz.109 - 1xx.2yy.zzz.110 - - [rdb] - 1xx.2yy.zzz.105 - 1xx.2yy.zzz.106 - -6. (Optional, being deprecated) Create directory to hold default -arguments for each VNF instance, -example: - -.. code-block:: none - - $ mkdir –p vars/vfdb9904v - $ touch vars/vfdb9904v/default\_args.yml - $ cat vars/vfdb9904v/default\_args.yml - vm\_config\_oam1\_vnfc\_name: vfdb9904vm001oam001 - vm\_config\_oam1\_hostname: vfdb9904vm001 - vm\_config\_oam1\_provider\_ip\_address: 1xx.2yy.zzz.109 - - vm\_config\_oam2\_vnfc\_name: vfdb9904vm002oam001 - vm\_config\_oam2\_hostname: vfdb9904vm002 - vm\_config\_oam2\_provider\_ip\_address: 1xx.2yy.zzz.110 - - vm\_config\_rdb1\_vnfc\_name: vfdb9904vm003rdb001 - vm\_config\_rdb1\_hostname: vfdb9904vm003 - vm\_config\_rdb1\_provider\_ip\_address: 1xx.2yy.zzz.105 - - vm\_config\_rdb2\_vnfc\_name: vfdb9904vm004rdb001 - vm\_config\_rdb2\_hostname: vfdb9904vm004 - vm\_config\_rdb2\_provider\_ip\_address: 1xx.2yy.zzz.106 - - vm\_config\_rdb3\_vnfc\_name: vfdb9904vm005rdb001 - vm\_config\_rdb3\_hostname: vfdb9904vm005 - vm\_config\_rdb3\_provider\_ip\_address: 1xx.2yy.zzz.xxx - - vm\_config\_rdb4\_vnfc\_name: vfdb9904vm006rdb001 - vm\_config\_rdb4\_hostname: vfdb9904vm006 - vm\_config\_rdb4\_provider\_ip\_address: 1xx.2yy.zzz.yyy - -NOTE: Please note names in this file shall use underscore “\_” not dots -“.” or dashes “-“. - -7. Perform some basic playbook validation running with “--check” option, - running dummy playbooks or other. - -NOTE: Each Ansible Server or cluster of Ansible Server will have its own -credentials to authenticate to VNF VMs. Ansible Server SSH public key(s) -have to be loaded onto VNF VMs during instantiation or other way before -Ansible Server can access VNF VMs and run playbooks. HOT templates used -by heat to instantiate VNFs to be configured by these Ansible Servers running -playbooks shall include the same SSH public key and load them onto VNF VM(s) -as part of instantiation. - -Other non-vendor specific playbook tasks need to be incorporated in overall -post-instantiation configuration playbook. Alternative is for company -developed playbooks to be uploaded and executed, after VNF vendor provided -playbooks are run. - -**A couple of playbooks used for proof-of-concept testing as examples:** - -UpgradePreCheck: - -.. code-block:: none - - $ pwd - /storage/comx/V5.3.1.3/ansible/upgradeprecheck - - $ more site.yml - --- - - - import_playbook: ../common/create_vars.yml - - import_playbook: ../common/create_hosts.yml - - - name: upgrade software pre check - hosts: oam,dbs,cpm - gather_facts: no - become: true - become_method: sudo - become_user: root - max_fail_percentage: 0 - any_errors_fatal: True - roles: - - precheck - tags: precheck - - $ more roles/precheck/tasks/main.yml - --- - - - include_vars: /tmp/{{ vnf_instance }}/all.yml - - - name: get software version installed on vnf - shell: grep "^SW_VERSION =" /vendor/software/config/param_common.cfg | grep -c "{{ existing_software_version }}" - register: version_line - ignore_errors: yes - - - name: send msg when matches expected version - debug: msg="*** OK *** VNF software release matches (old) release to be upgraded." - verbosity=1 - when: version_line.stdout.find('1') != -1 - - # send warning message and failure when release is not a match - - fail: - msg="*** WARNING *** VNF software release does not match expected (pre-upgrade) release." - when: (version_line | failed) or version_line.stdout.find('1') == -1 - - -UpgradePostCheck: - -.. code-block:: none - - $ pwd - /storage/comx/V5.3.1.3/ansible/upgradepostcheck - - $ more site.yml - --- - - - import_playbook: ../common/create_vars.yml - - import_playbook: ../common/create_hosts.yml - - - name: upgrade software post check - hosts: oam,dbs,cpm - gather_facts: no - become: true - become_method: sudo - become_user: root - max_fail_percentage: 0 - any_errors_fatal: True - roles: - - postcheck - tags: postcheck - - $ more roles/postcheck/tasks/main.yml - --- - - - include_vars: /tmp/{{ vnf_instance }}/all.yml - - - name: get post upgrade software version installed on vnf - shell: grep "^SW_VERSION =" /vendor/software/config/param_common.cfg | grep -c "{{ new_software_version }}" - register: version_line - ignore_errors: yes - - - name: send msg when matches expected version - debug: msg="*** OK *** VNF software release matches new release." - verbosity=1 - when: version_line.stdout.find('1') != -1 - - # send warning message and failure when release is not a match - - fail: - msg="*** WARNING *** VNF software release does not match expected new (post-upgrade) release." - when: (version_line | failed) or version_line.stdout.find('1') == -1 - - .. [1] - The “name” field is a mandatory field in a valid Chef Node Object - JSON dictionary. - -.. [2] Not currently supported in ONAP release 1 -.. [3] +.. [2] https://github.com/mbj4668/pyang -.. [4] +.. [3] Upstream elements must provide the appropriate FQDN in the request to ONAP for the desired action. -.. [5] +.. [4] Refer to NCSP’s Network Cloud specification -.. [6] +.. [5] This option is not currently supported in ONAP and it is currently under consideration. -.. [7] +.. [6] Multiple ONAP actions may map to one playbook. diff --git a/docs/Chapter8/TOSCA-model.rst b/docs/Chapter8/TOSCA-model.rst new file mode 100644 index 0000000..6cdad72 --- /dev/null +++ b/docs/Chapter8/TOSCA-model.rst @@ -0,0 +1,111 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2017 AT&T Intellectual Property. All rights reserved. + +TOSCA model +----------- + +Table D1. ONAP Resource DM TOSCA/YAML constructs +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Standard TOSCA/YAML definitions agreed by VNF SDK Modeling team to be used by +VNF vendors to create a standard VNF descriptor. + +All definitions are summarized in the table below based on the agreed ONAP +Resource DM TOSCA/YAML constructs for Beijing. Their syntax is specified in +ETSI GS NFV-SOL001 stable draft for VNF-D. + ++------------+------------------------------+---------------------------------+ +| Requirement| Resource IM Info Elements | TOSCA Constructs as per SOL001 | +| Number | | | ++============+==============================+=================================+ +| R-02454 | VNFD.vnfSoftwareVersion | For VDU.Compute - | +| | | tosca.artifacts.nfv.SwImage | +| | | | +| | SwImageDesc.Version | For Virtual Storage - | +| | | tosca.artifacts.Deployment.Image| ++------------+------------------------------+---------------------------------+ +| R-03070 | vnfExtCpd's with virtual | tosca.nodes.nfv.VnfExtCp with a | +| | NetworkInterfaceRequirements | property tosca.datatypes.nfv.\ | +| | (vNIC) | VirtualNetworkInterface\ | +| | | Requirements | ++------------+------------------------------+---------------------------------+ +| R-09467 | VDU.Compute descriptor | tosca.nodes.nfv.Vdu.Compute | ++------------+------------------------------+---------------------------------+ +| R-16065 | VDU.Compute. Configurable | tosca.datatypes.nfv.Vnfc | +| | Properties | ConfigurableProperties | ++------------+------------------------------+---------------------------------+ +| R-30654 | VNFD.lifeCycleManagement | Interface construct tosca.\ | +| | Script - IFA011 LifeCycle\ | interfaces.nfv.vnf.lifecycle.Nfv| +| | ManagementScript | with a list of standard LCM | +| | | operations | ++------------+------------------------------+---------------------------------+ +| R-35851 | CPD: VduCp, VnfExtCp, | tosca.nodes.nfv.VduCp, tosca.\ | +| | VnfVirtualLinkDesc, QoS | nodes.nfv.VnfVirtualLink, | +| | Monitoring info element - | tosca.nodes.nfv.VnfExtCp | +| | TBD | | ++------------+------------------------------+---------------------------------+ +| R-41215 | VNFD/VDU Profile and scaling | tosca.datatypes.nfv.VduProfile | +| | aspect | and tosca.datatypes.nfv.\ | +| | | ScalingAspect | ++------------+------------------------------+---------------------------------+ +| R-66070 | VNFD meta data | tosca.datatypes.nfv. | +| | | VnfInfoModifiableAttributes - | +| | | metadata? | ++------------+------------------------------+---------------------------------+ +| R-96634 | VNFD.configurableProperties | tosca.datatypes.nfv.Vnf\ | +| | describing scaling | ConfigurableProperties, | +| | characteristics. VNFD.\ | tosca.datatypes.nfv.ScaleInfo | +| | autoscale defines the rules | | +| | for scaling based on specific| | +| | VNF indications | | ++------------+------------------------------+---------------------------------+ +| ? | VDU Virtual Storage | tosca.nodes.nfv.Vdu.\ | +| | | VirtualStorage | ++------------+------------------------------+---------------------------------+ +| R-01478 | Monitoring Info Element (TBD)| tosca.capabilities.nfv.Metric - | +| | - SOL001 per VNF/VDU/VLink | type for monitoring | +| R-01556 | memory-consumption, | | +| | CPU-utilization, | monitoring_parameter of above | +| | bandwidth-consumption, VNFC | type per VNF/VDU/VLink | +| | downtime, etc. | | ++------------+------------------------------+---------------------------------+ + + +Table D2. TOSCA CSAR structure +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This section defines the requirements around the CSAR structure. + +The table below describes the numbered requirements for CSAR structure as +agreed with SDC. The format of the CSAR is specified in SOL004. + ++------------+-------------------------------------+--------------------------+ +| Requirement| Description | CSAR artifact directory | +| Number | | | ++============+=====================================+==========================+ +| R-26881 | The VNF provider MUST provide the | ROOT\\Artifacts\ | +| | binaries and images needed to | \\VNF_Image.bin | +| | instantiate the VNF (VNF and VNFC | | +| | images). | | ++------------+-------------------------------------+--------------------------+ +| R-30654 | VNFD.lifeCycleManagementScript that | ROOT\\Artifacts\ | +| | includes a list of events and | \\Informational\ | +| | corresponding management scripts | \\Install.csh | +| | performed for the VNF - SOL001 | | ++------------+-------------------------------------+--------------------------+ +| R-35851 | All VNF topology related definitions| ROOT\\Definitions\ | +| | in yaml files VNFD/Main Service | \\VNFC.yaml | +| | template at the ROOT | | +| | | ROOT\ | +| | | \\MainService\ | +| | | \\Template.yaml | ++------------+-------------------------------------+--------------------------+ +| R-40827 | CSAR License directory - SOL004 | ROOT\\Licenses\ | +| | | \\License_term.txt | ++------------+-------------------------------------+--------------------------+ +| R-77707 | CSAR Manifest file - SOL004 | ROOT\ | +| | | \\MainServiceTemplate.mf | ++------------+-------------------------------------+--------------------------+ + + diff --git a/docs/Chapter8/VNF-License-Information-Guidelines.rst b/docs/Chapter8/VNF-License-Information-Guidelines.rst new file mode 100644 index 0000000..d571173 --- /dev/null +++ b/docs/Chapter8/VNF-License-Information-Guidelines.rst @@ -0,0 +1,493 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2017 AT&T Intellectual Property. All rights reserved. + +VNF License Information Guidelines +---------------------------------- + +This Appendix describes the metadata to be supplied for VNF licenses. + +1. General Information + +Table C1 defines the required and optional fields for licenses. + +Table C1. Required Fields for General Information +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ++---------------+-----------------------------------+--------------+----------+ +| **Field Name**| **Description** | **Data Type**| **Type** | ++===============+===================================+==============+==========+ +| VNF Provider | The name of the VNF provider. | String | Mandatory| +| Name | | | | ++---------------+-----------------------------------+--------------+----------+ +| VNF Provider | The name of the product to which | String | Mandatory| +| Product | this agreement applies. | | | +| | | | | +| | Note: a contract/agreement may | | | +| | apply to more than one VNF | | | +| | provider product. In that case, | | | +| | provide the metadata for each | | | +| | product separately. | | | ++---------------+-----------------------------------+--------------+----------+ +| VNF Provider | A general description of VNF | String | Optional | +| Product | provider software product. | | | +| Description | | | | ++---------------+-----------------------------------+--------------+----------+ +| Export Control| ECCNs are 5-character | String | Mandatory| +| Classification| alpha-numeric designations used on| | | +| Number (ECCN) | the Commerce Control List (CCL) to| | | +| | identify dual-use items for export| | | +| | control purposes. An ECCN | | | +| | categorizes items based on the | | | +| | nature of the product, i.e. type | | | +| | of commodity, software, or | | | +| | technology and its respective | | | +| | technical parameters. | | | ++---------------+-----------------------------------+--------------+----------+ +| Reporting | A list of any reporting | List of | Optional | +| Requirements | requirements on the usage of the | strings | | +| | software product. | | | ++---------------+-----------------------------------+--------------+----------+ + +1. Entitlements + +Entitlements describe software license use rights. The use rights may be +quantified by various metrics: # users, # software instances, # units. +The use rights may be limited by various criteria: location (physical or +logical), type of customer, type of device, time, etc. + +One or more entitlements can be defined; each one consists of the +following fields: + +Table C2. Required Fields for Entitlements +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ++---------------+-----------------------------------+-------------+-----------+ +| **Field Name**| **Description** |**Data Type**| **Type** | ++===============+===================================+=============+===========+ +| VNF Provider | Identifier for the entitlement as | String | Mandatory | +| Part Number / | described by the VNF provider in | | | +| Manufacture | their price list / catalog / | | | +| Reference | contract. | | | +| Number | | | | ++---------------+-----------------------------------+-------------+-----------+ +| Description | Verbiage that describes the | String | Optional | +| | entitlement | | | ++---------------+-----------------------------------+-------------+-----------+ +| Entitlement | Each entitlement defined must be | String | Mandatory | +| Identifier | identified by a unique value (e.g.| | | +| | numbered 1, 2, 3….) | | | ++---------------+-----------------------------------+-------------+-----------+ +| Minimum Order | The minimum number of entitlements| Number | Mandatory | +| Requirement | that need to be purchased. | | | +| | For example, the entitlements must| | | +| | be purchased in a block of 100. If| | | +| | no minimum is required, the value | | | +| | will be zero. | | | ++---------------+-----------------------------------+-------------+-----------+ +| Unique | A list of any reporting | List of | Optional | +| Reporting | requirements on the usage of the | Strings | | +| Requirements | software product. (e.g.: quarterly| | | +| | usage reports are required) | | | ++---------------+-----------------------------------+-------------+-----------+ +| License Type | Type of license applicable to the | String | Mandatory | +| | software product. (e.g.: | | | +| | fixed-term, perpetual, trial, | | | +| | subscription.) | | | ++---------------+-----------------------------------+-------------+-----------+ +| License | Valid values: | String |Conditional| +| Duration | | | | +| | **year**, **quarter**, **month**, | | | +| | **day**. | | | +| | | | | +| | Not applicable when license type | | | +| | is Perpetual. | | | ++---------------+-----------------------------------+-------------+-----------+ +| License | Number of years, quarters, months,| Number |Conditional| +| Duration | or days for which the license is | | | +| Quantification| valid. | | | +| | | | | +| | Not applicable when license type | | | +| | is Perpetual. | | | ++---------------+-----------------------------------+-------------+-----------+ +| Limits | see section C.4 for possible | List | Optional | +| | values | | | ++---------------+-----------------------------------+-------------+-----------+ + +1. License Keys + +This section defines information on any License Keys associated with the +Software Product. A license key is a data string (or a file) providing a +means to authorize the use of software. License key does not provide +entitlement information. + +License Keys are not required. Optionally, one or more license keys can +be defined; each one consists of the following fields: + +Table C3. Required Fields for License Keys +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ++---------------+-----------------------------------+--------------+----------+ +| **Field Name**| **Description** | **Data Type**| **Type** | ++===============+===================================+==============+==========+ +| Description | Verbiage that describes the | String | Mandatory| +| | license key | | | ++---------------+-----------------------------------+--------------+----------+ +| License Key | Each license key defined must be | String | Mandatory| +| Identifier | identified by a unique value | | | +| | (e.g., numbered 1, 2, 3….) | | | ++---------------+-----------------------------------+--------------+----------+ +| Key Function | Lifecycle stage (e.g., | String | Optional | +| | Instantiation or Activation) at | | | +| | which the license key is applied | | | +| | to the software. | | | ++---------------+-----------------------------------+--------------+----------+ +| License Key | Valid values: | String | Mandatory| +| Type | | | | +| | **Universal, Unique** | | | +| | | | | +| | **Universal** - a single license | | | +| | key value that may be used with | | | +| | any number of instances of the | | | +| | software. | | | +| | | | | +| | **Unique**- a unique license key | | | +| | value is required for each | | | +| | instance of the software. | | | ++---------------+-----------------------------------+--------------+----------+ +| Limits | see section C.4 for possible | List | Optional | +| | values | | | ++---------------+-----------------------------------+--------------+----------+ + +1. Entitlement and License Key Limits + +Limitations on the use of software entitlements and license keys may be +based on factors such as: features enabled in the product, the allowed +capacity of the product, number of installations, etc... The limits may +generally be categorized as: + +- where (location) + +- when (time) + +- how (usages) + +- who/what (entity) + +- amount (how much) + +Multiple limits may be applicable for an entitlement or license key. +Each limit may further be described by limit behavior, duration, +quantification, aggregation, aggregation interval, start date, end date, +and threshold. + +When the limit is associated with a quantity, the quantity is relative +to an instance of the entitlement or license key. For example: + +- Each entitlement grants the right to 50 concurrent users. If 10 + entitlements are purchased, the total number of concurrent users + permitted would be 500. In this example, the limit category is + **amount**, the limit type is **users**, and the limit + **quantification** is **50.** + + Each license key may be installed on 3 devices. If 5 license keys are + acquired, the total number of devices allowed would be 15. In this + example, the limit category is **usages**, the limit type is + **device**, and the limit **quantification** is **3.** + +1. Location + +Locations may be logical or physical location (e.g., site, country). For +example: + +- use is allowed in Canada + +Table C4. Required Fields for Location +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ++------------------+--------------------------------+--------------+----------+ +| **Field Name** | **Description** | **Data Type**| **Type** | ++==================+================================+==============+==========+ +| Limit Identifier | Each limit defined for an | String | Mandatory| +| | entitlement or license key must| | | +| | be identified by a unique value| | | +| | (e.g., numbered 1,2,3…) | | | ++------------------+--------------------------------+--------------+----------+ +| Limit Description| Verbiage describing the limit. | String | Mandatory| ++------------------+--------------------------------+--------------+----------+ +| Limit Behavior | Description of the actions | String | Mandatory| +| | taken when the limit boundaries| | | +| | are reached. | | | ++------------------+--------------------------------+--------------+----------+ +| Limit Category | Valid value: **location** | String | Mandatory| ++------------------+--------------------------------+--------------+----------+ +| Limit Type | Valid values: **city, county, | String | Mandatory| +| | state, country, region, MSA, | | | +| | BTA, CLLI** | | | ++------------------+--------------------------------+--------------+----------+ +| Limit List | List of locations where the VNF| List of | Mandatory| +| | provider Product can be used or| String | | +| | needs to be restricted from use| | | ++------------------+--------------------------------+--------------+----------+ +| Limit Set Type | Indicates if the list is an | String | Mandatory| +| | inclusion or exclusion. | | | +| | | | | +| | Valid Values: | | | +| | | | | +| | **Allowed** | | | +| | | | | +| | **Not allowed** | | | ++------------------+--------------------------------+--------------+----------+ +| Limit | The quantity (amount) the limit| Number | Optional | +| Quantification | expresses. | | | ++------------------+--------------------------------+--------------+----------+ + +1. Time + +Limit on the length of time the software may be used. For example: + +- license key valid for 1 year from activation + +- entitlement valid from 15 May 2018 thru 30 June 2020 + +Table C5. Required Fields for Time +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ++------------------+-------------------------------+--------------+-----------+ +| **Field Name** | **Description** | **Data Type**| **Type** | ++==================+===============================+==============+===========+ +| Limit Identifier | Each limit defined for an | String | Mandatory | +| | entitlement or license key | | | +| | must be identified by a unique| | | +| | value (e.g., numbered) | | | ++------------------+-------------------------------+--------------+-----------+ +| Limit Description| Verbiage describing the limit.| String | Mandatory | ++------------------+-------------------------------+--------------+-----------+ +| Limit Behavior | Description of the actions | String | Mandatory | +| | taken when the limit | | | +| | boundaries are reached. | | | +| | | | | +| | The limit behavior may also | | | +| | describe when a time limit | | | +| | takes effect. (e.g., key is | | | +| | valid for 1 year from date of | | | +| | purchase). | | | ++------------------+-------------------------------+--------------+-----------+ +| Limit Category | Valid value: **time** | String | Mandatory | ++------------------+-------------------------------+--------------+-----------+ +| Limit Type | Valid values: | String | Mandatory | +| | **duration, date** | | | ++------------------+-------------------------------+--------------+-----------+ +| Limit List | List of times for which the | List of | Mandatory | +| | VNF Provider Product can be | String | | +| | used or needs to be restricted| | | +| | from use | | | ++------------------+-------------------------------+--------------+-----------+ +| Duration Units | Required when limit type is | String |Conditional| +| | duration. Valid values: | | | +| | **perpetual, year, quarter, | | | +| | month, day, minute, second, | | | +| | millisecond** | | | ++------------------+-------------------------------+--------------+-----------+ +| Limit | The quantity (amount) the | Number | Optional | +| Quantification | limit expresses. | | | ++------------------+-------------------------------+--------------+-----------+ +| Start Date | Required when limit type is | Date | Optional | +| | date. | | | ++------------------+-------------------------------+--------------+-----------+ +| End Date | May be used when limit type is| Date | Optional | +| | date. | | | ++------------------+-------------------------------+--------------+-----------+ + +1. Usage + +Limits based on how the software is used. For example: + +- use is limited to a specific sub-set of the features/capabilities the + software supports + +- use is limited to a certain environment (e.g., test, development, + production…) + +- use is limited by processor (vm, cpu, core) + +- use is limited by software release + +Table C6. Required Fields for Usage +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ++------------------+-------------------------------+---------------+----------+ +| **Field Name** | **Description** | **Data Type** | **Type** | ++==================+===============================+===============+==========+ +| Limit Identifier | Each limit defined for an | String | Mandatory| +| | entitlement or license key | | | +| | must be identified by a unique| | | +| | value (e.g., numbered) | | | ++------------------+-------------------------------+---------------+----------+ +| Limit Description| Verbiage describing the limit.| String | Mandatory| ++------------------+-------------------------------+---------------+----------+ +| Limit Behavior | Description of the actions | String | Mandatory| +| | taken when the limit | | | +| | boundaries are reached. | | | ++------------------+-------------------------------+---------------+----------+ +| Limit Category | Valid value: **usages** | String | Mandatory| ++------------------+-------------------------------+---------------+----------+ +| Limit Type | Valid values: **feature, | String | Mandatory| +| | environment, processor, | | | +| | version** | | | ++------------------+-------------------------------+---------------+----------+ +| Limit List | List of usage limits (e.g., | List of String| Mandatory| +| | test, development, vm, core, | | | +| | R1.2.1, R1.3.5…) | | | ++------------------+-------------------------------+---------------+----------+ +| Limit Set Type | Indicates if the list is an | String | Mandatory| +| | inclusion or exclusion. | | | +| | | | | +| | Valid Values: | | | +| | | | | +| | **Allowed** | | | +| | | | | +| | **Not allowed** | | | ++------------------+-------------------------------+---------------+----------+ +| Limit | The quantity (amount) the | Number | Optional | +| Quantification | limit expresses. | | | ++------------------+-------------------------------+---------------+----------+ + +1. Entity + +Limit on the entity (product line, organization, customer) allowed to +make use of the software. For example: + +- allowed to be used in support of wireless products + +- allowed to be used only for government entities + +Table C7. Required Fields for Entity +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ++------------------+--------------------------------+--------------+----------+ +| **Field Name** | **Description** |**Data Type** | **Type** | ++==================+================================+==============+==========+ +| Limit Identifier | Each limit defined for an | String | Mandatory| +| | entitlement or license key must| | | +| | be identified by a unique value| | | +| | (e.g., numbered) | | | ++------------------+--------------------------------+--------------+----------+ +| Limit Description| Verbiage describing the limit. | String | Mandatory| ++------------------+--------------------------------+--------------+----------+ +| Limit Behavior | Description of the actions | String | Mandatory| +| | taken when the limit boundaries| | | +| | are reached. | | | ++------------------+--------------------------------+--------------+----------+ +| Limit Category | Valid value: **entity** | String | Mandatory| ++------------------+--------------------------------+--------------+----------+ +| Limit Type | Valid values: **product line, | String | Mandatory| +| | organization, internal | | | +| | customer, external customer** | | | ++------------------+--------------------------------+--------------+----------+ +| Limit List | List of entities for which the |List of String| Mandatory| +| | VNF Provider Product can be | | | +| | used or needs to be restricted | | | +| | from use | | | ++------------------+--------------------------------+--------------+----------+ +| Limit Set Type | Indicates if the list is an | String | Mandatory| +| | inclusion or exclusion. | | | +| | | | | +| | Valid Values: | | | +| | | | | +| | **Allowed** | | | +| | | | | +| | **Not allowed** | | | ++------------------+--------------------------------+--------------+----------+ +| Limit | The quantity (amount) the limit| Number | Optional | +| Quantification | expresses. | | | ++------------------+--------------------------------+--------------+----------+ + +1. Amount + +These limits describe terms relative to utilization of the functions of +the software (for example, number of named users permitted, throughput, +or capacity). Limits of this type may also be relative to utilization of +other resources (for example, a limit for firewall software is not based +on use of the firewall software, but on the number of network +subscribers). + +The metadata describing this type of limit includes the unit of measure +(e.g., # users, # sessions, # MB, # TB, etc.), the quantity of units, +any aggregation function (e.g., peak or average users), and aggregation +interval (day, month, quarter, year, etc.). + +Table C8. Required Fields for Amount +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ++------------------+---------------------------------+-------------+----------+ +| **Field Name** | **Description** |**Data Type**| **Type** | ++==================+=================================+=============+==========+ +| Limit Identifier | Each limit defined for an | String | Mandatory| +| | entitlement or license key must | | | +| | be identified by a unique value | | | +| | (e.g., numbered) | | | ++------------------+---------------------------------+-------------+----------+ +| Limit Description| Verbiage describing the limit. | String | Mandatory| ++------------------+---------------------------------+-------------+----------+ +| Limit Behavior | Description of the actions taken| String | Mandatory| +| | when the limit boundaries are | | | +| | reached. | | | ++------------------+---------------------------------+-------------+----------+ +| Limit Category | Valid value: **amount** | String | Mandatory| ++------------------+---------------------------------+-------------+----------+ +| Limit Type | Valid values: **trunk, user, | String | Mandatory| +| | subscriber, session, token, | | | +| | transactions, seats, KB, MB, TB,| | | +| | GB** | | | ++------------------+---------------------------------+-------------+----------+ +| Type of | Is the limit relative to | String | Mandatory| +| Utilization | utilization of the functions of | | | +| | the software or relative to | | | +| | utilization of other resources? | | | +| | | | | +| | Valid values: | | | +| | | | | +| | - **software functions** | | | +| | | | | +| | - **other resources** | | | ++------------------+---------------------------------+-------------+----------+ +| Limit | The quantity (amount) the limit | Number | Optional | +| Quantification | expresses. | | | ++------------------+---------------------------------+-------------+----------+ +| Aggregation | Valid values: **peak, average** | String | Optional | +| Function | | | | ++------------------+---------------------------------+-------------+----------+ +| Aggregation | Time period over which the | String | Optional | +| Interval | aggregation is done (e.g., | | | +| | average sessions per quarter). | | | +| | Required when an Aggregation | | | +| | Function is specified. | | | +| | | | | +| | Valid values: **day, month, | | | +| | quarter, year, minute, second, | | | +| | millisecond** | | | ++------------------+---------------------------------+-------------+----------+ +| Aggregation | Is the limit quantity applicable| String | Optional | +| Scope | to a single entitlement or | | | +| | license key (each separately)? | | | +| | Or may the limit quantity be | | | +| | combined with others of the same| | | +| | type (resulting in limit amount | | | +| | that is the sum of all the | | | +| | purchased entitlements or | | | +| | license keys)? | | | +| | | | | +| | Valid values: | | | +| | | | | +| | - **single** | | | +| | | | | +| | - **combined** | | | ++------------------+---------------------------------+-------------+----------+ +| Type of User | Describes the types of users of | String | Optional | +| | the functionality offered by the| | | +| | software (e.g., authorized, | | | +| | named). This field is included | | | +| | when Limit Type is user. | | | ++------------------+---------------------------------+-------------+----------+ + diff --git a/docs/Chapter8/index.rst b/docs/Chapter8/index.rst new file mode 100644 index 0000000..503dc8c --- /dev/null +++ b/docs/Chapter8/index.rst @@ -0,0 +1,17 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2017 AT&T Intellectual Property. All rights reserved. + + +Appendix +======== + +.. toctree:: + :maxdepth: 2 + + Chef-JSON-Key-Value-Description + Ansible-JSON-Key-Value-Description + VNF-License-Information-Guidelines + TOSCA-model + Requirement-List + Ansible-Playbook-Examples diff --git a/docs/index.rst b/docs/index.rst index 7268448..297a762 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -10,11 +10,11 @@ VNF Requirements Documentation :maxdepth: 2 :numbered: - Chapter1 - Chapter2 - Chapter3 - Chapter4 - Chapter5 - Chapter6 - Chapter7 - Chapter8 + Chapter1/index + Chapter2/index + Chapter3/index + Chapter4/index + Chapter5/index + Chapter6/index + Chapter7/index + Chapter8/index |