Michal Ptacek | 2a96f15 | 2019-07-04 13:34:53 +0200 | [diff] [blame^] | 1 | ************************************* |
| 2 | vFWCL on Dublin ONAP offline platform |
| 3 | ************************************* |
| 4 | |
| 5 | |image0| |
| 6 | |
| 7 | This document is collecting notes we have from running vFirewall demo on offline Dublin platform |
| 8 | installed by ONAP offline installer tool. |
| 9 | |
| 10 | Overall it was much easier in compare with earlier version, however following steps are still needed. |
| 11 | |
| 12 | Some of the most relevant materials are available on following links: |
| 13 | |
| 14 | * `oom_quickstart_guide.html <https://docs.onap.org/en/dublin/submodules/oom.git/docs/oom_quickstart_guide.html>`_ |
| 15 | * `docs_vfw.html <https://docs.onap.org/en/dublin/submodules/integration.git/docs/docs_vfw.html>`_ |
| 16 | |
| 17 | |
| 18 | .. contents:: Table of Contents |
| 19 | :depth: 2 |
| 20 | |
| 21 | |
| 22 | |
| 23 | Step 1. Preconditions - before ONAP deployment |
| 24 | ============================================== |
| 25 | |
| 26 | Understanding of the underlying OpenStack deployment is required from anyone applying these instructions. |
| 27 | |
| 28 | In addition, installation-specific location of the helm charts on the infra node must be known. |
| 29 | In this document it is referred to as <helm_charts_dir> |
| 30 | |
| 31 | Snippets below are describing areas we need to configure for successfull vFWCL demo. |
| 32 | |
| 33 | Pay attention to them and configure it (ideally before deployment) accordingly. |
| 34 | |
| 35 | **1) <helm_charts_dir>/onap/values.yaml**:: |
| 36 | |
| 37 | |
| 38 | ################################################################# |
| 39 | # Global configuration overrides. |
| 40 | # !!! VIM specific entries are in APPC / Robot & SO parts !!! |
| 41 | ################################################################# |
| 42 | global: |
| 43 | # Change to an unused port prefix range to prevent port conflicts |
| 44 | # with other instances running within the same k8s cluster |
| 45 | nodePortPrefix: 302 |
| 46 | nodePortPrefixExt: 304 |
| 47 | |
| 48 | # ONAP Repository |
| 49 | # Uncomment the following to enable the use of a single docker |
| 50 | # repository but ONLY if your repository mirrors all ONAP |
| 51 | # docker images. This includes all images from dockerhub and |
| 52 | # any other repository that hosts images for ONAP components. |
| 53 | #repository: nexus3.onap.org:10001 |
| 54 | repositoryCred: |
| 55 | user: docker |
| 56 | password: docker |
| 57 | |
| 58 | # readiness check - temporary repo until images migrated to nexus3 |
| 59 | readinessRepository: oomk8s |
| 60 | # logging agent - temporary repo until images migrated to nexus3 |
| 61 | loggingRepository: docker.elastic.co |
| 62 | |
| 63 | # image pull policy |
| 64 | pullPolicy: Always |
| 65 | |
| 66 | # default mount path root directory referenced |
| 67 | # by persistent volumes and log files |
| 68 | persistence: |
| 69 | mountPath: /dockerdata-nfs |
| 70 | enableDefaultStorageclass: false |
| 71 | parameters: {} |
| 72 | storageclassProvisioner: kubernetes.io/no-provisioner |
| 73 | volumeReclaimPolicy: Retain |
| 74 | |
| 75 | # override default resource limit flavor for all charts |
| 76 | flavor: unlimited |
| 77 | |
| 78 | # flag to enable debugging - application support required |
| 79 | debugEnabled: false |
| 80 | |
| 81 | ################################################################# |
| 82 | # Enable/disable and configure helm charts (ie. applications) |
| 83 | # to customize the ONAP deployment. |
| 84 | ################################################################# |
| 85 | aaf: |
| 86 | enabled: true |
| 87 | aai: |
| 88 | enabled: true |
| 89 | appc: |
| 90 | enabled: true |
| 91 | config: |
| 92 | openStackType: "OpenStackProvider" |
| 93 | openStackName: "OpenStack" |
| 94 | openStackKeyStoneUrl: "http://10.20.30.40:5000/v2.0" |
| 95 | openStackServiceTenantName: "service" |
| 96 | openStackDomain: "default" |
| 97 | openStackUserName: "onap-tieto" |
| 98 | openStackEncryptedPassword: "31ECA9F2BA98EF34C9EC3412D071E31185F6D9522808867894FF566E6118983AD5E6F794B8034558" |
| 99 | cassandra: |
| 100 | enabled: true |
| 101 | clamp: |
| 102 | enabled: true |
| 103 | cli: |
| 104 | enabled: true |
| 105 | consul: |
| 106 | enabled: true |
| 107 | contrib: |
| 108 | enabled: true |
| 109 | dcaegen2: |
| 110 | enabled: true |
| 111 | pnda: |
| 112 | enabled: true |
| 113 | dmaap: |
| 114 | enabled: true |
| 115 | esr: |
| 116 | enabled: true |
| 117 | log: |
| 118 | enabled: true |
| 119 | sniro-emulator: |
| 120 | enabled: true |
| 121 | oof: |
| 122 | enabled: true |
| 123 | mariadb-galera: |
| 124 | enabled: true |
| 125 | msb: |
| 126 | enabled: true |
| 127 | multicloud: |
| 128 | enabled: true |
| 129 | nbi: |
| 130 | enabled: true |
| 131 | config: |
| 132 | # openstack configuration |
| 133 | openStackRegion: "Yolo" |
| 134 | openStackVNFTenantId: "1234" |
| 135 | nfs-provisioner: |
| 136 | enabled: true |
| 137 | policy: |
| 138 | enabled: true |
| 139 | pomba: |
| 140 | enabled: true |
| 141 | portal: |
| 142 | enabled: true |
| 143 | robot: |
| 144 | enabled: true |
| 145 | appcUsername: "appc@appc.onap.org" |
| 146 | appcPassword: "demo123456!" |
| 147 | openStackKeyStoneUrl: "http://10.20.30.40:5000" |
| 148 | openStackPublicNetId: "9403ceea-0738-4908-a826-316c8541e4bb" |
| 149 | openStackPublicNetworkName: "rc3-offline-network" |
| 150 | openStackTenantId: "b1ce7742d956463999923ceaed71786e" |
| 151 | openStackUserName: "onap-tieto" |
| 152 | ubuntu14Image: "trusty" |
| 153 | openStackPrivateNetId: "3c7aa2bd-ba14-40ce-8070-6a0d6a617175" |
| 154 | openStackPrivateSubnetId: "2bcb9938-9c94-4049-b580-550a44dc63b3" |
| 155 | openStackPrivateNetCidr: "10.0.0.0/16" |
| 156 | openStackSecurityGroup: "onap_sg" |
| 157 | openStackOamNetworkCidrPrefix: "10.0" |
| 158 | dcaeCollectorIp: "10.8.8.22" # this IP is taken from k8s host |
| 159 | vnfPubKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPwF2bYm2QuqZpjuAcZDJTcFdUkKv4Hbd/3qqbxf6g5ZgfQarCi+mYnKe9G9Px3CgFLPdgkBBnMSYaAzMjdIYOEdPKFTMQ9lIF0+i5KsrXvszWraGKwHjAflECfpTAWkPq2UJUvwkV/g7NS5lJN3fKa9LaqlXdtdQyeSBZAUJ6QeCE5vFUplk3X6QFbMXOHbZh2ziqu8mMtP+cWjHNBB47zHQ3RmNl81Rjv+QemD5zpdbK/h6AahDncOY3cfN88/HPWrENiSSxLC020sgZNYgERqfw+1YhHrclhf3jrSwCpZikjl7rqKroua2LBI/yeWEta3amTVvUnR2Y7gM8kHyh Generated-by-Nova" |
| 160 | demoArtifactsVersion: "1.4.0" # Dublin prefered is 1.4.0 |
| 161 | demoArtifactsRepoUrl: "https://nexus.onap.org/content/repositories/releases" |
| 162 | scriptVersion: "1.4.0" # Dublin prefered is 1.4.0 |
| 163 | rancherIpAddress: "10.8.8.8" # this IP is taken from infra node |
| 164 | config: |
| 165 | # instructions how to generate this value properly are in OOM quick quide mentioned above |
| 166 | openStackEncryptedPasswordHere: "f7920677e15e2678b0f33736189e8965" |
| 167 | |
| 168 | sdc: |
| 169 | enabled: true |
| 170 | sdnc: |
| 171 | enabled: true |
| 172 | |
| 173 | replicaCount: 1 |
| 174 | |
| 175 | mysql: |
| 176 | replicaCount: 1 |
| 177 | so: |
| 178 | enabled: true |
| 179 | config: |
| 180 | openStackUserName: "onap-tieto" |
| 181 | openStackRegion: "RegionOne" |
| 182 | openStackKeyStoneUrl: "http://10.20.30.40:5000" |
| 183 | openStackServiceTenantName: "services" |
| 184 | # instructions how to generate this value properly are in OOM quick quide mentioned above |
| 185 | openStackEncryptedPasswordHere: "31ECA9F2BA98EF34C9EC3412D071E31185F6D9522808867894FF566E6118983AD5E6F794B8034558" |
| 186 | |
| 187 | replicaCount: 1 |
| 188 | |
| 189 | liveness: |
| 190 | # necessary to disable liveness probe when setting breakpoints |
| 191 | # in debugger so K8s doesn't restart unresponsive container |
| 192 | enabled: true |
| 193 | |
| 194 | so-catalog-db-adapter: |
| 195 | config: |
| 196 | openStackUserName: "onap-tieto" |
| 197 | openStackKeyStoneUrl: "http://10.20.30.40:5000/v2.0" |
| 198 | # instructions how to generate this value properly are in OOM quick quide mentioned above |
| 199 | openStackEncryptedPasswordHere: "31ECA9F2BA98EF34C9EC3412D071E31185F6D9522808867894FF566E6118983AD5E6F794B8034558" |
| 200 | |
| 201 | uui: |
| 202 | enabled: true |
| 203 | vfc: |
| 204 | enabled: true |
| 205 | vid: |
| 206 | enabled: true |
| 207 | vnfsdk: |
| 208 | enabled: true |
| 209 | modeling: |
| 210 | enabled: true |
| 211 | |
| 212 | |
| 213 | **2) <helm_charts_dir>/robot/resources/config/eteshare/config/vm_properties.py**:: |
| 214 | |
| 215 | # following patch is required because in Dublin public network is hardcoded |
| 216 | # reported in TEST-166 and is implemented in El-Alto |
| 217 | # just add following row into file |
| 218 | GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK = '{{ .Values.openStackPublicNetworkName }}' |
| 219 | |
| 220 | |
| 221 | |
| 222 | Step 2. Preconditions - after ONAP deployment |
| 223 | ============================================= |
| 224 | |
| 225 | |
| 226 | Run HealthChecks after successful deployment, all of them must pass |
| 227 | |
| 228 | Relevant robot scripts are under <helm_charts_dir>/oom/kubernetes/robot |
| 229 | |
| 230 | :: |
| 231 | |
| 232 | [root@tomas-infra robot]# ./ete-k8s.sh onap health |
| 233 | |
| 234 | 61 critical tests, 61 passed, 0 failed |
| 235 | 61 tests total, 61 passed, 0 failed |
| 236 | |
| 237 | very useful page describing commands for `manual checking of HC’s <https://wiki.onap.org/display/DW/Robot+Healthcheck+Tests+on+ONAP+Components#RobotHealthcheckTestsonONAPComponents-ApplicationController(APPC)Healthcheck>`_ |
| 238 | |
| 239 | Step 3. Patch public network |
| 240 | ============================ |
| 241 | |
| 242 | This is the last part of correction for `TEST-166 <https://jira.onap.org/browse/TEST-166>`_ needed for Dublin branch. |
| 243 | |
| 244 | :: |
| 245 | |
| 246 | [root@tomas-infra helm_charts]# kubectl get pods -n onap | grep robot |
| 247 | onap-robot-robot-5c7c46bbf4-4zgkn 1/1 Running 0 3h15m |
| 248 | [root@tomas-infra helm_charts]# kubectl exec -it onap-robot-robot-5c7c46bbf4-4zgkn bash |
| 249 | root@onap-robot-robot-5c7c46bbf4-4zgkn:/# cd /var/opt/ONAP/ |
| 250 | root@onap-robot-robot-5c7c46bbf4-4zgkn:/var/opt/ONAP# sed -i 's/network_name=public/network_name=${GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK}/g' robot/resources/demo_preload.robot |
| 251 | root@onap-robot-robot-5c7c46bbf4-4zgkn:/var/opt/ONAP# sed -i 's/network_name=public/network_name=${GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK}/g' robot/resources/stack_validation/policy_check_vfw.robot |
| 252 | root@onap-robot-robot-5c7c46bbf4-4zgkn:/var/opt/ONAP# sed -i 's/network_name=public/network_name=${GLOBAL_INJECTED_OPENSTACK_PUBLIC_NETWORK}/g' robot/resources/stack_validation/validate_vfw.robot |
| 253 | |
| 254 | |
| 255 | Step 4. Set private key for robot when accessing VNFs |
| 256 | ===================================================== |
| 257 | |
| 258 | This is workaround for ticket `TEST-167 <https://jira.onap.org/browse/TEST-167>`_, as of now robot is using following file as private key |
| 259 | */var/opt/ONAP/robot/assets/keys/onap_dev.pvt* |
| 260 | |
| 261 | One can either set it to own private key, corresponding with public key inserted into VMs from *vnfPubKey* param |
| 262 | OR |
| 263 | set mount own private key into robot container and change GLOBAL_VM_PRIVATE_KEY in */var/opt/ONAP/robot/resources/global_properties.robot* |
| 264 | |
| 265 | |
| 266 | Step 5. robot init - demo services distribution |
| 267 | ================================================ |
| 268 | |
| 269 | Run following robot script to execute both init_customer + distribute |
| 270 | |
| 271 | :: |
| 272 | |
| 273 | # demo-k8s.sh <namespace> init |
| 274 | |
| 275 | [root@tomas-infra robot]# ./demo-k8s.sh onap init |
| 276 | |
| 277 | |
| 278 | |
| 279 | Step 6. robot instantiateVFW |
| 280 | ============================ |
| 281 | |
| 282 | Following tag is used for whole vFWCL testcase. It will deploy single heat stack with 3 VMs and set policies and APPC mount point for vFWCL to happen. |
| 283 | |
| 284 | :: |
| 285 | |
| 286 | # demo-k8s.sh <namespace> instantiateVFW |
| 287 | |
| 288 | root@tomas-infra robot]# ./demo-k8s.sh onap instantiateVFW |
| 289 | |
| 290 | Step 7. fix CloseLoopName in tca microservice |
| 291 | ============================================= |
| 292 | |
| 293 | In Dublin scope, tca microservice is configured with hardcoded entries from `tcaSpec.json <https://gerrit.onap.org/r/gitweb?p=dcaegen2/analytics/tca.git;a=blob;f=dpo/tcaSpec.json;h=8e69c068ea47300707b8131fbc8d71e9a47af8a2;hb=HEAD#l278>`_ |
| 294 | |
| 295 | After updating operational policy within instantiateVFW robot tag execution, one must change CloseLoopName in tca to match with generated |
| 296 | value in policy. This is done in two parts: |
| 297 | |
| 298 | a) get correct value |
| 299 | |
| 300 | :: |
| 301 | |
| 302 | # from drools container, i.e. drools in Dublin is not mapped to k8s host |
| 303 | curl -k --silent --user 'demo@people.osaaf.org:demo123456!' -X GET https://localhost:9696/policy/pdp/engine/controllers/usecases/drools/facts/usecases/controlloops --insecure |
| 304 | |
| 305 | |
| 306 | # alternatively same value can be obtained from telemetry console in drools container |
| 307 | telemetry |
| 308 | https://localhost:9696/policy/pdp/engine> cd controllers/usecases/drools/facts/usecases/controlloops |
| 309 | https://localhost:9696/policy/pdp/engine/controllers/usecases/drools/facts/usecases/controlloops> get |
| 310 | HTTP/1.1 200 OK |
| 311 | Content-Length: 62 |
| 312 | Content-Type: application/json |
| 313 | Date: Tue, 25 Jun 2019 07:18:56 GMT |
| 314 | Server: Jetty(9.4.14.v20181114) |
| 315 | [ |
| 316 | "ControlLoop-vFirewall-da1fd2be-2a26-4704-ab99-cd80fe1cf89c" |
| 317 | ] |
| 318 | |
| 319 | b) update the tca microservice |
| 320 | |
| 321 | see Preconditions part in `docs_vfw.html <https://docs.onap.org/en/dublin/submodules/integration.git/docs/docs_vfw.html>`_ |
| 322 | This step will be automated in El-Alto, it's tracked in `TEST-168 <https://jira.onap.org/browse/TEST-168>`_ |
| 323 | |
| 324 | Step 8. verify vFW |
| 325 | ================== |
| 326 | |
| 327 | Verify VFWCL. This step is just to verify CL functionality, which can be also verified by checking DarkStat GUI on vSINK VM <sink_ip:667> |
| 328 | |
| 329 | :: |
| 330 | |
| 331 | # demo-k8s.sh <namespace> vfwclosedloop <pgn-ip-address> |
| 332 | # e.g. where 10.8.8.5 is IP from public network dedicated to vPKG VM |
| 333 | root@tomas-infra robot]# ./demo-k8s.sh onap vfwclosedloop 10.8.8.5 |
| 334 | |
| 335 | .. |image0| image:: images/vFWCL-dublin.jpg |
| 336 | :width: 387px |
| 337 | :height: 393px |