| ************************************* |
| vFWCL on Dublin ONAP offline platform |
| ************************************* |
| |
| |image0| |
| |
| This document is collecting notes we have from running vFirewall demo on offline Dublin platform |
| installed by ONAP offline installer tool. |
| |
| Overall it was much easier in compare with earlier version, however following steps are still needed. |
| |
| Some of the most relevant materials are available on following links: |
| |
| * `oom_quickstart_guide.html <https://docs.onap.org/en/dublin/submodules/oom.git/docs/oom_quickstart_guide.html>`_ |
| * `docs_vfw.html <https://docs.onap.org/en/dublin/submodules/integration.git/docs/docs_vfw.html>`_ |
| |
| |
| .. contents:: Table of Contents |
| :depth: 2 |
| |
| |
| |
| Step 1. Preconditions - before ONAP deployment |
| ============================================== |
| |
| Understanding of the underlying OpenStack deployment is required from anyone applying these instructions. |
| |
| In addition, installation-specific location of the helm charts on the infra node must be known. |
| In this document it is referred to as <helm_charts_dir> |
| |
| Snippets below are describing areas we need to configure for successfull vFWCL demo. |
| |
| Pay attention to them and configure it (ideally before deployment) accordingly. |
| |
| **1) <helm_charts_dir>/onap/values.yaml**:: |
| |
| |
| ################################################################# |
| # Global configuration overrides. |
| # !!! VIM specific entries are in APPC / Robot & SO parts !!! |
| ################################################################# |
| global: |
| # Change to an unused port prefix range to prevent port conflicts |
| # with other instances running within the same k8s cluster |
| nodePortPrefix: 302 |
| nodePortPrefixExt: 304 |
| |
| # ONAP Repository |
| # Uncomment the following to enable the use of a single docker |
| # repository but ONLY if your repository mirrors all ONAP |
| # docker images. This includes all images from dockerhub and |
| # any other repository that hosts images for ONAP components. |
| #repository: nexus3.onap.org:10001 |
| repositoryCred: |
| user: docker |
| password: docker |
| |
| # readiness check - temporary repo until images migrated to nexus3 |
| readinessRepository: oomk8s |
| # logging agent - temporary repo until images migrated to nexus3 |
| loggingRepository: docker.elastic.co |
| |
| # image pull policy |
| pullPolicy: Always |
| |
| # default mount path root directory referenced |
| # by persistent volumes and log files |
| persistence: |
| mountPath: /dockerdata-nfs |
| enableDefaultStorageclass: false |
| parameters: {} |
| storageclassProvisioner: kubernetes.io/no-provisioner |
| volumeReclaimPolicy: Retain |
| |
| # override default resource limit flavor for all charts |
| flavor: unlimited |
| |
| # flag to enable debugging - application support required |
| debugEnabled: false |
| |
| ################################################################# |
| # Enable/disable and configure helm charts (ie. applications) |
| # to customize the ONAP deployment. |
| ################################################################# |
| aaf: |
| enabled: true |
| aai: |
| enabled: true |
| appc: |
| enabled: true |
| config: |
| openStackType: "OpenStackProvider" |
| openStackName: "OpenStack" |
| openStackKeyStoneUrl: "http://10.20.30.40:5000/v2.0" |
| openStackServiceTenantName: "service" |
| openStackDomain: "default" |
| openStackUserName: "onap-tieto" |
| openStackEncryptedPassword: "31ECA9F2BA98EF34C9EC3412D071E31185F6D9522808867894FF566E6118983AD5E6F794B8034558" |
| cassandra: |
| enabled: true |
| clamp: |
| enabled: true |
| cli: |
| enabled: true |
| consul: |
| enabled: true |
| contrib: |
| enabled: true |
| dcaegen2: |
| enabled: true |
| pnda: |
| enabled: true |
| dmaap: |
| enabled: true |
| esr: |
| enabled: true |
| log: |
| enabled: true |
| sniro-emulator: |
| enabled: true |
| oof: |
| enabled: true |
| mariadb-galera: |
| enabled: true |
| msb: |
| enabled: true |
| multicloud: |
| enabled: true |
| nbi: |
| enabled: true |
| config: |
| # openstack configuration |
| openStackRegion: "Yolo" |
| openStackVNFTenantId: "1234" |
| nfs-provisioner: |
| enabled: true |
| policy: |
| enabled: true |
| pomba: |
| enabled: true |
| portal: |
| enabled: true |
| robot: |
| enabled: true |
| appcUsername: "appc@appc.onap.org" |
| appcPassword: "demo123456!" |
| openStackKeyStoneUrl: "http://10.20.30.40:5000" |
| openStackPublicNetId: "9403ceea-0738-4908-a826-316c8541e4bb" |
| openStackPublicNetworkName: "rc3-offline-network" |
| openStackTenantId: "b1ce7742d956463999923ceaed71786e" |
| openStackUserName: "onap-tieto" |
| ubuntu14Image: "trusty" |
| openStackPrivateNetId: "3c7aa2bd-ba14-40ce-8070-6a0d6a617175" |
| openStackPrivateSubnetId: "2bcb9938-9c94-4049-b580-550a44dc63b3" |
| openStackPrivateNetCidr: "10.0.0.0/16" |
| openStackSecurityGroup: "onap_sg" |
| openStackOamNetworkCidrPrefix: "10.0" |
| dcaeCollectorIp: "10.8.8.22" # this IP is taken from k8s host |
| vnfPubKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPwF2bYm2QuqZpjuAcZDJTcFdUkKv4Hbd/3qqbxf6g5ZgfQarCi+mYnKe9G9Px3CgFLPdgkBBnMSYaAzMjdIYOEdPKFTMQ9lIF0+i5KsrXvszWraGKwHjAflECfpTAWkPq2UJUvwkV/g7NS5lJN3fKa9LaqlXdtdQyeSBZAUJ6QeCE5vFUplk3X6QFbMXOHbZh2ziqu8mMtP+cWjHNBB47zHQ3RmNl81Rjv+QemD5zpdbK/h6AahDncOY3cfN88/HPWrENiSSxLC020sgZNYgERqfw+1YhHrclhf3jrSwCpZikjl7rqKroua2LBI/yeWEta3amTVvUnR2Y7gM8kHyh Generated-by-Nova" |
| demoArtifactsVersion: "1.4.0" # Dublin prefered is 1.4.0 |
| demoArtifactsRepoUrl: "https://nexus.onap.org/content/repositories/releases" |
| scriptVersion: "1.4.0" # Dublin prefered is 1.4.0 |
| rancherIpAddress: "10.8.8.8" # this IP is taken from infra node |
| config: |
| # instructions how to generate this value properly are in OOM quick quide mentioned above |
| openStackEncryptedPasswordHere: "f7920677e15e2678b0f33736189e8965" |
| |
| sdc: |
| enabled: true |
| sdnc: |
| enabled: true |
| |
| replicaCount: 1 |
| |
| mysql: |
| replicaCount: 1 |
| so: |
| enabled: true |
| config: |
| openStackUserName: "onap-tieto" |
| openStackRegion: "RegionOne" |
| openStackKeyStoneUrl: "http://10.20.30.40:5000" |
| openStackServiceTenantName: "services" |
| # instructions how to generate this value properly are in OOM quick quide mentioned above |
| openStackEncryptedPasswordHere: "31ECA9F2BA98EF34C9EC3412D071E31185F6D9522808867894FF566E6118983AD5E6F794B8034558" |
| |
| replicaCount: 1 |
| |
| liveness: |
| # necessary to disable liveness probe when setting breakpoints |
| # in debugger so K8s doesn't restart unresponsive container |
| enabled: true |
| |
| so-catalog-db-adapter: |
| config: |
| openStackUserName: "onap-tieto" |
| openStackKeyStoneUrl: "http://10.20.30.40:5000/v2.0" |
| # instructions how to generate this value properly are in OOM quick quide mentioned above |
| openStackEncryptedPasswordHere: "31ECA9F2BA98EF34C9EC3412D071E31185F6D9522808867894FF566E6118983AD5E6F794B8034558" |
| |
| uui: |
| enabled: true |
| vfc: |
| enabled: true |
| vid: |
| enabled: true |
| vnfsdk: |
| enabled: true |
| modeling: |
| enabled: true |
| |
| |
| **2) <helm_charts_dir>/robot/resources/config/eteshare/config/vm_properties.py**:: |
| |
| # following patch is required because in Dublin public network is hardcoded |
| # reported in TEST-166 and is implemented in El-Alto |
| # just add following row into file |
| GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK = '{{ .Values.openStackPublicNetworkName }}' |
| |
| |
| |
| Step 2. Preconditions - after ONAP deployment |
| ============================================= |
| |
| |
| Run HealthChecks after successful deployment, all of them must pass |
| |
| Relevant robot scripts are under <helm_charts_dir>/oom/kubernetes/robot |
| |
| :: |
| |
| [root@tomas-infra robot]# ./ete-k8s.sh onap health |
| |
| 61 critical tests, 61 passed, 0 failed |
| 61 tests total, 61 passed, 0 failed |
| |
| very useful page describing commands for `manual checking of HC’s <https://wiki.onap.org/display/DW/Robot+Healthcheck+Tests+on+ONAP+Components#RobotHealthcheckTestsonONAPComponents-ApplicationController(APPC)Healthcheck>`_ |
| |
| Step 3. Patch public network |
| ============================ |
| |
| This is the last part of correction for `TEST-166 <https://jira.onap.org/browse/TEST-166>`_ needed for Dublin branch. |
| |
| :: |
| |
| [root@tomas-infra helm_charts]# kubectl get pods -n onap | grep robot |
| onap-robot-robot-5c7c46bbf4-4zgkn 1/1 Running 0 3h15m |
| [root@tomas-infra helm_charts]# kubectl exec -it onap-robot-robot-5c7c46bbf4-4zgkn bash |
| root@onap-robot-robot-5c7c46bbf4-4zgkn:/# cd /var/opt/ONAP/ |
| root@onap-robot-robot-5c7c46bbf4-4zgkn:/var/opt/ONAP# sed -i 's/network_name=public/network_name=${GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK}/g' robot/resources/demo_preload.robot |
| root@onap-robot-robot-5c7c46bbf4-4zgkn:/var/opt/ONAP# sed -i 's/network_name=public/network_name=${GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK}/g' robot/resources/stack_validation/policy_check_vfw.robot |
| root@onap-robot-robot-5c7c46bbf4-4zgkn:/var/opt/ONAP# sed -i 's/network_name=public/network_name=${GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK}/g' robot/resources/stack_validation/validate_vfw.robot |
| |
| |
| Step 4. Set private key for robot when accessing VNFs |
| ===================================================== |
| |
| This is workaround for ticket `TEST-167 <https://jira.onap.org/browse/TEST-167>`_, as of now robot is using following file as private key |
| */var/opt/ONAP/robot/assets/keys/onap_dev.pvt* |
| |
| One can either set it to own private key, corresponding with public key inserted into VMs from *vnfPubKey* param |
| OR |
| set mount own private key into robot container and change GLOBAL_VM_PRIVATE_KEY in */var/opt/ONAP/robot/resources/global_properties.robot* |
| |
| |
| Step 5. robot init - demo services distribution |
| ================================================ |
| |
| Run following robot script to execute both init_customer + distribute |
| |
| :: |
| |
| # demo-k8s.sh <namespace> init |
| |
| [root@tomas-infra robot]# ./demo-k8s.sh onap init |
| |
| |
| |
| Step 6. robot instantiateVFW |
| ============================ |
| |
| Following tag is used for whole vFWCL testcase. It will deploy single heat stack with 3 VMs and set policies and APPC mount point for vFWCL to happen. |
| |
| :: |
| |
| # demo-k8s.sh <namespace> instantiateVFW |
| |
| root@tomas-infra robot]# ./demo-k8s.sh onap instantiateVFW |
| |
| Step 7. fix CloseLoopName in tca microservice |
| ============================================= |
| |
| In Dublin scope, tca microservice is configured with hardcoded entries from `tcaSpec.json <https://gerrit.onap.org/r/gitweb?p=dcaegen2/analytics/tca.git;a=blob;f=dpo/tcaSpec.json;h=8e69c068ea47300707b8131fbc8d71e9a47af8a2;hb=HEAD#l278>`_ |
| |
| After updating operational policy within instantiateVFW robot tag execution, one must change CloseLoopName in tca to match with generated |
| value in policy. This is done in two parts: |
| |
| a) get correct value |
| |
| :: |
| |
| # from drools container, i.e. drools in Dublin is not mapped to k8s host |
| curl -k --silent --user 'demo@people.osaaf.org:demo123456!' -X GET https://localhost:9696/policy/pdp/engine/controllers/usecases/drools/facts/usecases/controlloops --insecure |
| |
| |
| # alternatively same value can be obtained from telemetry console in drools container |
| telemetry |
| https://localhost:9696/policy/pdp/engine> cd controllers/usecases/drools/facts/usecases/controlloops |
| https://localhost:9696/policy/pdp/engine/controllers/usecases/drools/facts/usecases/controlloops> get |
| HTTP/1.1 200 OK |
| Content-Length: 62 |
| Content-Type: application/json |
| Date: Tue, 25 Jun 2019 07:18:56 GMT |
| Server: Jetty(9.4.14.v20181114) |
| [ |
| "ControlLoop-vFirewall-da1fd2be-2a26-4704-ab99-cd80fe1cf89c" |
| ] |
| |
| b) update the tca microservice |
| |
| see Preconditions part in `docs_vfw.html <https://docs.onap.org/en/dublin/submodules/integration.git/docs/docs_vfw.html>`_ |
| This step will be automated in El-Alto, it's tracked in `TEST-168 <https://jira.onap.org/browse/TEST-168>`_ |
| |
| Step 8. verify vFW |
| ================== |
| |
| Verify VFWCL. This step is just to verify CL functionality, which can be also verified by checking DarkStat GUI on vSINK VM <sink_ip:667> |
| |
| :: |
| |
| # demo-k8s.sh <namespace> vfwclosedloop <pgn-ip-address> |
| # e.g. where 10.8.8.5 is IP from public network dedicated to vPKG VM |
| root@tomas-infra robot]# ./demo-k8s.sh onap vfwclosedloop 10.8.8.5 |
| |
| .. |image0| image:: images/vFWCL-dublin.jpg |
| :width: 387px |
| :height: 393px |