2021-11-16 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 16th of November 2021.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

Filebeat containers and potential to be used for log aggregation 

A lot of Filebeat containers as part of infrastructure healhchecks. Filebeat is a side container for logs aggregation and potentially could be used for prototype or implement logs aggregation for stdout and stderr. It looks there is broad coverage accross ONAP project that has this Filebeat container already.

OOM team do not want to manage sidecars that would be used to collect logs. There are at least 30 Filebeat containers with old java or python versions.

https://logs.onap.org/onap-integration/daily/onap_daily_pod4_master/2021-11/12_03-22/infrastructure-healthcheck/k8s/kubernetes-status/versions.html

Filebeat sidecar container setup and configuration in OOM

ongoing

To figure it out how many Filebeat containers are in ONAP projects. 

Bob to synch with Byung.

Bob to join Integration team meeting on Wednesday.

 

 

Synch of versions with OOM and Integration teams

We have a policy to recommend latest stable version. Apparently some difficulty raised by Sylvain to implement 1.20+ Kubernetes.

From process perspective we should agree on versions with Integration and OOM per each release and collect feedback.

Versions synchronization started with Java and Python versions synch.

Impact analysis is important to run but it takes time and it is easier to do the upgrade.

Respnsibility should be on OOM or Integration team.

The goal is to have everyone aware of the versions that should be used per release.

Issue with using 1.19 K8s is that it is not supported by the community.

Centos 8 will be deprecated in December'21. for the support 7.x is better to use as it will be available until 2024.

Huge code change in IPv6 in K8s between 1.19 and 1.20 in K8s.

ongoing

Muddasar to check the link: 

Database, Java, Python, Docker, Kubernetes, and Image Versions

Sylvain to be contacted for 1.19 version end of support.

 

PTL meeting update

ongoing

Topics proposals to be reviewed at the next SECCOM - automation for Release Notes could be a topic to propose. 

 

ONAP code quality improvement 

E-mail exchanges with Toine by e-mail. Meeting done with Thierry, Kevin and Jess - new job created in gerrit CPS sonar verify, not for the quality can be added. 

ongoing

Test with CPS to be organized with Toine and Kevin.

Voting by TSC to change quality gate value.

 

Software BOMs:

SBOMs to be discussed on Thursday. Ongoing follow-up with Krzysztof.

ongoing

Ticket to be opened and work with LFN IT, build BOM and present it to PTLs.

 

TSC meeting this Thursday 

We present non functional requirements for Jakarta release.

ongoing

 

 

Sonarcloud dashboard has gone and no longer supported!

Tony is checking alternatives. Poor documentation of APIs.

ongoing

SonarCloud representatives in France could be contacted (via Jessica) if needed.

 

OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 23rd OF NOVEMBER'21. 

Synch with OOM (Sylvain)

ONAP Logging Architecture & design by Byung.

SECCOM proposal for DDF:

  • Logging requiremets clarification

  • New requirements for Jakarta

  • Recommended versions (SECCOM and OOM)

  • Packages upgrades - Jakarta update

  • Umnaintained code handling and its impact on documentation (SECCOM + Documentation) - main session stream

  • Code quality demo - main session stream

Interproject proposals:

  • SBOMs ONAP story

 

 

 

SECCOM MEETING CALL WILL BE HELD ON 30th OF NOVEMBER'21. 

Request from the Policy project group (Ramesh and Liam) for the ‘cluster-admin’ permission on one of their helm charts in OOM for automate helm chart installation for microservice. 

 

 

 

Recording: 

 

 

SECCOM presentation:

Note from Byung-Woo Jun: 

I am attaching the ONAP Logging Architecture & design slide deck: ONAP-NG-Logging-Summary.pptx

In there (page 5), you can find an old view of ONAP logging architecture (leveraging filebeat, logstash, others). There are some reasons we don't want to use the architecture:

1) Since the log sidecar is no longer favored by OOM and others after the global requirement REQ-441 - all ONAP applications generate log events to STDOUT/STDERR; so logging side car is no longer desired

2) LogStash has some license issue

3) new architecture simplifies ONAP logging

We can discuss it next time.