Vetted vFirewall Demo - Full draft how-to for F2F and ReadTheDocs
20181220 - update for casablanca -TODO: review the vFW automation in https://github.com/garyiwu/onap-lab-ci - thanks @Yang Xu
This long-winded page name will revert to "Running the ONAP vFirewall Demo...." when we are finished before 9 Dec - and moved out of the wiki root
Please join and post "validated" actions/config/results - but do not move or edit this page until we get a complete vFW run before Ideally the 4 Dec KubCon conference and worst case the 11 Dec ONAP Conference - thank you
- 1 Statement of Work
- 1.1 Output
- 2 Running the vFirewall Demo
- 3 Original/Ongoing Doc References
- 4 List of ONAP Implementations under Test by Environment
- 5 Continuous Deployment References
- 6 Formal Recordings
- 7 Generated JIRAs
- 8 Fixes to Pull and Test
- 9 Access and Deployment Configuration
- 10 Design/Runtime Issues
- 10.1 20171122: Do we run the older robot preload or do we do the SDNC rest PUT manually
- 10.2 20171122: Do we use the older June vFW zip (yaml + env) or must we use a new split template
- 10.3 20171122: Do we run the older robot appc mountpoint or do we do the APPC rest PUT manually
- 10.4 20171125: Do we need R1 components to run the vFirewall like MultiVIM
- 10.5 20171125: Workaround for intermittent AAI-vm1 failure in HEAT
- 10.6 20171127: Running Heatbridge from robot
- 10.7 20171127 Which template is supported vFW old/new-split or both
- 10.8 20171128: VMware VIO Requirements for vFW Deployment
- 10.9 20171128: SDNC VM HD fills up - controller container shuts down 24h after a failed VNF preload
- 10.9.1 oam_onap_Ze9k
- 11 Test Deployments
Under construction - this page is a consolidation of all details in getting the vFirewall running over the next 2 weeks in prep of anyone that would like to demo it for the F2F in Dec.
ADD content ONLY when verified - with evidence (screen-cap, JSON output etc..) DO paste any questions and unverified config/actions in the comment section at the end - for the team to verify |
HEAT Daily meeting at 1200 EDT noon Nov 27 to 8 Dec 2017 - https://zoom.us/j/7939937123 see schedule at https://lists.onap.org/pipermail/onap-discuss/2017-November/006483.html
Statement of Work
Ideally we provide this page as a the draft that will go into ReadTheDocs.io - where this page gets deleted and referenced there.
There are currently 3 or more distinct pages, email threads, presentations, phone calls, meetings where all the details needed to "Step by Step" get a running vFirewall up are located.
We would like to get to the point where we were before Aug 2017 where an individual with an Openstack environment (OOM as well now) - could follow each instruction point (action - and expected/documented result/output) and end up with our current minimal sanity usecase - the vFirewall
If you have any details on configuration of getting up the vFirewall post them to the comments section and it will be tested and incorporated
Ideally any action added to this page itself - is fully tested with resulting output (text/screencap) - pasted as a reference.
JIRAs: https://lf-onap.atlassian.net/browse/OOM-459 for OOM and https://lf-onap.atlassian.net/browse/INT-106 for HEAT
Output
1- This set of instructions below - to go from an empty OOM host or OpenStack lab - all the way to closed loop running.
2 - A set of videos - the vFirewall from an already deployed OOM and HEAT deployment - see the reference videos from Running the ONAP Demos#ONAPDeploymentVideos see https://lf-onap.atlassian.net/browse/INT-333
3- Secondary videos on bringing up OOM and HEAT deployments
Running the vFirewall Demo
sync with Running the ONAP Demos#QuickstartInstructions
TODO: check for JIRA on appc demo.robot working : 20171128 (worked in 1.0.0)
20180307 - SDC 503 - see pod reordering in amsterdam https://lists.onap.org/pipermail/onap-discuss/2018-March/008403.html - need to raise jira
Prerequisites
Artifact | Location | Notes |
|---|---|---|
private key (ssh-add)
 | obrienbiometrics:onap_public michaelobrien$ ssh-keygen
SHA256:YzLggI8nGXna0Ssx0DMpLvZKSPTGZJ1mXwj2XZ+c8Gg michaelobrien@obrienbiometrics.local paste onap_public.pub into the pub_key: sections of all the onap_openstack and vFW env files |
|
openstack yaml and env | https://nexus.onap.org/content/sites/raw/org.onap.demo/heat/ONAP/1.1.0-SNAPSHOT/ demo/heat/onap/onap-openstack.* |
|
vFirewall yaml and env unverified | We will use the split vFWCL (vFW closed loop) in demo/heat/vFWCL
demo/heat/vFWCL/vFWPKG/base_vpkg.env demo/heat/vFWCL/vFWSNK/base_vfw.env image_name: ubuntu-14-04-cloud-amd64 flavor_name: m1.medium public_net_id: 971040b2-7059-49dc-b220-4fab50cb2ad4 cloud_env: openstack onap_private_net_id: oam_onap_6Gve onap_private_subnet_id: oam_onap_6Gve Note: the network must be the one that shows on the instances page - or the only non-shared one in the network list
not the older https://nexus.onap.org/content/sites/raw/org.onap.demo/heat/vFW/1.1.0-SNAPSHOT/ or the deprecated https://nexus.onap.org/content/sites/raw/org.openecomp.demo/heat/vFW/1.1.0-SNAPSHOT/ |
|
|
|
|
| demo/heat/vFWCL/vFWPKG/base_vpkg.env |
|
|
|
|
|
|
|
vFirewall Tasks
Ideally we have an automated one-click vFW deployment - in the works -
sync with Running the ONAP Demos#QuickstartInstructions
T# | Task | Action Rest URL+JSON payload | Result JSON / Text / Screencap | Artifacts Link or attach file | Env OOM HEAT or both | Verify Read | Last run | Notes |
|---|---|---|---|---|---|---|---|---|
|
| ./demo-k8s.sh onap init_robot ./demo-k8s.sh init | start with a full DCAE deploy (amsterdam) via OOM
ubuntu@a-onap-devopscd:~/oom/kubernetes/robot$ ./demo-k8s.sh onap init_robot
Number of parameters:
2
KEY:
init_robot
WEB Site Password for user 'test': ++ ETEHOME=/var/opt/OpenECOMP_ETE
++ VARIABLEFILES='-V /share/config/vm_properties.py -V /share/config/integration_robot_properties.py -V /share/config/integration_preload_parameters.py'
+++ kubectl --namespace onap get pods
+++ sed 's/ .*//'
+++ grep robot
No resources found.
++ POD=
++ kubectl --namespace onap exec -- /var/opt/OpenECOMP_ETE/runTags.sh -V /share/config/vm_properties.py -V /share/config/integration_robot_properties.py -V /share/config/integration_preload_parameters.py -v WEB_PASSWORD:test -d /share/logs/demo/UpdateWebPage -i UpdateWebPage --display 89ubuntu@a-onap-devopscd:~/oom/kubernetes/robot$ ./demo-k8s.sh onap init_robot
Number of parameters:
2
KEY:
init_robot
WEB Site Password for user 'test': ++ ETEHOME=/var/opt/OpenECOMP_ETE
++ VARIABLEFILES='-V /share/config/vm_properties.py -V /share/config/integration_robot_properties.py -V /share/config/integration_preload_parameters.py'
+++ kubectl --namespace onap get pods
+++ sed 's/ .*//'
+++ grep robot
No resources found.
++ POD=
++ kubectl --namespace onap exec -- /var/opt/OpenECOMP_ETE/runTags.sh -V /share/config/vm_properties.py -V /share/config/integration_robot_properties.py -V /share/config/integration_preload_parameters.py -v WEB_PASSWORD:test -d /share/logs/demo/UpdateWebPage -i UpdateWebPage --display 89
|
|
|
|
|
|
optional | Before robot init (init_customer and distribute |
|
|
|
|
|
|
|
optional | cloud region PUT to AAI | from postman:code PUT /aai/v11/cloud-infrastructure/cloud-regions/cloud-region/Openstack/RegionOne HTTP/1.1 {
| 201 created |
| OOM | GET /aai/v11/cloud-infrastructure/cloud-regions/cloud-region/Openstack/RegionOne HTTP/1.1 200 OK {
| 20171126 |
|
1 optional | TBD - cloud region PUT to AAI |
| Verify: cloud-region is not set by robot ./demo.sh init (only the customer is - we need to run the rest call for cloud region ourselves watch intermittent issues bringing up aai1 containers in |
| HEAT |
| TBD 201711xx |
|
| SDC Distribution (manual) |
| HEAT http://portal.api.simpledemo.onap.org:8989/ONAPPORTAL/login.htm OOM: http://<host>:30211 License Model as cs0008 on SDC onboard | new license model | license key groups (network wide / Universal) | Entitlement pools (network wide / absolute 100 / CPU / 000001 / Other tbd / Month) | Feature Groups (123456) manuf ref # | Available Entitlement Pools (push right) | License Agreements | Add license agreement (unlimited) - push right / save / check-in / submit | Onboard breadcrumb VF Onboard | new Vendor (not Virtual) Software Product (FWL App L4+) - select network package not manual checkbox | select LA (Lversion 1, LA, then FG) save | upload zip | proceed to validation | checkin | submit Onboard home | drop vendor software prod repo | select, import vsp | create | icon | submit for testing Distributing as jm0007 | start testing | accept as cs0008 | sdc home | see firewall | add service | cat=l4, 123456 create | icon | composition, expand left app L4 - drag | submit for testing as jm0007 | start testing | accept as gv0001 | approve as op0001 | distribute |
|
|
|
|
|
| TBD Customer creation |
| Note: robot ./demo.sh oom: oom/kubernetes/robot/demo-k8s.sh |
|
|
|
|
|
| SDC Model Distribution |
| If you are at this step - switch over to @Alexis de Talhouët page on vFWCL instantiation, testing, and debuging |
|
|
|
|
|
| TBD VID Service creation |
|
|
|
|
|
|
|
| TBD VID Service Instance deployment |
|
|
|
|
|
|
|
| TBD VID Create VNF |
|
|
|
|
|
|
|
| VNF preload OK (REST) |
| http://{{sdnc_ip}}:8282/restconf/operations/VNF-API:preload-vnf-topology-operation note the service-type change - see gui top right POST /restconf/operations/VNF-API:preload-vnf-topology-operation HTTP/1.1
Host: 10.12.5.92:8282
Accept: application/json
Content-Type: application/json
X-TransactionId: 0a3f6713-ba96-4971-a6f8-c2da85a3176e
X-FromAppId: API client
Authorization: Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ==
Cache-Control: no-cache
Postman-Token: e1c8d1ec-4cd9-5744-3ac9-f83f0d3c71d4
{
"input": {
"vnf-topology-information": {
"vnf-topology-identifier": {
"service-type": "11819dd6-6332-42bc-952c-1a19f8246663",
"vnf-name": "DemoModule2",
"vnf-type": "Vsp..base_vfw..module-0",
"generic-vnf-name": "vFWDemoVNF",
"generic-vnf-type": "vsp 0"
},
"vnf-assignments": {
"availability-zones": [],
"vnf-networks": [],
"vnf-vms": []
},
"vnf-parameters":
[
{
"vnf-parameter-name": "image_name",
"vnf-parameter-value": "ubuntu-14-04-cloud-amd64"
},
{
"vnf-parameter-name": "flavor_name",
"vnf-parameter-value": "m1.medium"
},
{
"vnf-parameter-name": "public_net_id",
"vnf-parameter-value": "971040b2-7059-49dc-b220-4fab50cb2ad4"
},
{
"vnf-parameter-name": "unprotected_private_net_id",
"vnf-parameter-value": "zdfw1fwl01_unprotected"
},
{
"vnf-parameter-name": "unprotected_private_subnet_id",
"vnf-parameter-value": "zdfw1fwl01_unprotected_sub"
},
{
"vnf-parameter-name": "protected_private_net_id",
"vnf-parameter-value": "zdfw1fwl01_protected"
},
{
"vnf-parameter-name": "protected_private_subnet_id",
"vnf-parameter-value": "zdfw1fwl01_protected_sub"
},
{
"vnf-parameter-name": "onap_private_net_id",
"vnf-parameter-value": "oam_onap_Ze9k"
},
{
"vnf-parameter-name": "onap_private_subnet_id",
"vnf-parameter-value": "oam_onap_Ze9k"
},
{
"vnf-parameter-name": "unprotected_private_net_cidr",
"vnf-parameter-value": "192.168.10.0/24"
},
{
"vnf-parameter-name": "protected_private_net_cidr",
"vnf-parameter-value": "192.168.20.0/24"
},
{
"vnf-parameter-name": "onap_private_net_cidr",
"vnf-parameter-value": "10.0.0.0/16"
},
{
"vnf-parameter-name": "vfw_private_ip_0",
"vnf-parameter-value": "192.168.10.100"
},
{
"vnf-parameter-name": "vfw_private_ip_1",
"vnf-parameter-value": "192.168.20.100"
},
{
"vnf-parameter-name": "vfw_private_ip_2",
"vnf-parameter-value": "10.0.100.5"
},
{
"vnf-parameter-name": "vpg_private_ip_0",
"vnf-parameter-value": "192.168.10.200"
},
{
"vnf-parameter-name": "vsn_private_ip_0",
"vnf-parameter-value": "192.168.20.250"
},
{
"vnf-parameter-name": "vsn_private_ip_1",
"vnf-parameter-value": "10.0.100.4"
},
{
"vnf-parameter-name": "vfw_name_0",
"vnf-parameter-value": "vFWDemoVNF"
},
{
"vnf-parameter-name": "vsn_name_0",
"vnf-parameter-value": "zdfw1fwl01snk01"
},
{
"vnf-parameter-name": "vnf_id",
"vnf-parameter-value": "vFirewall_vSink_demo_app"
},
{
"vnf-parameter-name": "vf_module_id",
"vnf-parameter-value": "vFirewall_vSink"
},
{
"vnf-parameter-name": "dcae_collector_ip",
"vnf-parameter-value": "127.0.0.1"
},
{
"vnf-parameter-name": "dcae_collector_port",
"vnf-parameter-value": "8080"
},
{
"vnf-parameter-name": "repo_url_blob",
"vnf-parameter-value": "https://nexus.onap.org/content/sites/raw"
},
{
"vnf-parameter-name": "repo_url_artifacts",
"vnf-parameter-value": "https://nexus.onap.org/content/groups/staging"
},
{
"vnf-parameter-name": "demo_artifacts_version",
"vnf-parameter-value": "1.1.0"
},
{
"vnf-parameter-name": "install_script_version",
"vnf-parameter-value": "1.1.0-SNAPSHOT"
},
{
"vnf-parameter-name": "key_name",
"vnf-parameter-value": "onapkey"
},
{
"vnf-parameter-name": "pub_key",
"vnf-parameter-value": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDlc+Lkkd6qK4yrhwgyEXmDuseZihbdYk3Dd90p4/TTDCenGVdfdPU9r4KuCrn8nhjjhVvOx8s1hSi03NI9qHQasLcNCVavzse04kq/RlrkmEvSnqI0/HYNOMYASBQAxgF/pocbANnERcfzXrWiymK5Aqm3U8P25EkeKp9tQmSiijki8ywA5iXuBDWiPQxE5gtxotGMUH5EhElHXlQ2lWRc3IlHghfoh8sI3auz7Bimma3vEUd64e6uuZR5oxCdv3ybZBkYnOcgiGaeP7sWDpjggpI40bfoQ/PbZh4u9maLPmY8vm1HKebZgfwkgEXSi0B4QgUHlRcVWV7lNo+418Tt michaelobrien@obrienbiometrics"
},
{
"vnf-parameter-name": "cloud_env",
"vnf-parameter-value": "openstack"
}
]
},
"request-information": {
"request-id": "robot12",
"order-version": "1",
"notification-url": "openecomp.org",
"order-number": "1",
"request-action": "PreloadVNFRequest"
},
"sdnc-request-header": {
"svc-request-id": "robot12",
"svc-notification-url": "http:\/\/openecomp.org:8080\/adapters\/rest\/SDNCNotify",
"svc-action": "reserve"
}
}
}
Result 200 {
"output": {
"svc-request-id": "robot12",
"response-code": "200",
"ack-final-indicator": "Y"
}
}
|
|
|
|
|
|
| VNF preload (alternative, no postman) | (hope I got it right) references to video are like "X-mm:ss some text" where X is 0..5 and the video is 20171128_1200_X_of_5_daily_session.mp4 |
|
|
|
|
|
|
| SDNC VNF Preload (Integration-Jenkins lab) |
| (from Marco 20171128) |
|
|
|
|
|
| TBD VID Create VF-Module (vSNK) |
| Need to delete the previous failure first - raise JIRA on error for now postfix and recreate |
|
|
|
|
|
| TBD VID Create VF-Module (vPG) |
|
|
|
|
|
|
|
| TBD Robot Heatbridge |
|
|
|
|
|
|
|
| TBD APPC mountpoint (Robot or REST) |
|
|
|
|
|
|
|
| APPC mountpoint for vFW closed-loop (Integration-Jenkins lab) |
| see https://lists.onap.org/pipermail/onap-discuss/2017-November/006610.html |
|
|
|
|
|
Verifying the vFirewall
Original/Ongoing Doc References
running vFW Demo on ONAP Amsterdam Release
Clearwater vIMS Onboarding and Instantiation
Vetted vFirewall Demo - Full draft how-to for F2F and ReadTheDocs
Integration Use Case Test Cases - could not find vFW content here