Warning: Draft Content
This wiki is under construction
<<Add steps to observe closed loop control>>
For version 1.0.0 - Start with the section at and below "__Closedloop for vFirewall demo:__" in https://nexus.onap.org/content/sites/raw/org.openecomp.demo/README.md For example when packet throughput drops below 300 or rises above 700 packets/sec.
vFirewall Demo Runtime Behaviour
vFirewall Flow
see also Log Streaming Compliance and API#DeploymentDependencyTree-Containerlevel
TODO: part 12 SDC distribution is missing AAI calls and needs a reverify - while robot 13+ are ok, we are not accounting for manual SDC based distribution
SDC Distribution Flow
TODO: expand on 43: policy to appc, also reverify 41 pull TCA
Default Traffic Generator
The following default traffic should be observed out of the box on the PGN vm of the vFW demo after "./demo.sh appc DemoModule" was run.
Verify network traffic by getting your eth interface name and running tcpdump on it
ifconfig sudo tcpdump -i <ifname> |
---|
How many of the 10 TG streams is running is TBD?
TBD: the exact nature of what enabling 5 of the 10 TGs is?
TBD: what exactly is the correlation between the SEC_MEASUREMENT_OUTPUT and TCA_EVENT_OUTPUT (Threshold crossing action) - like a PK to relate them?
Testing, Deploying, and debugging on a PDP-D
Tutorial: Testing the vFW flow in a standalone PDP-D
http://onap.readthedocs.io/en/latest/submodules/dcaegen2.git/docs/sections/installation.html
17 Comments
Kedar Ambekar
Hi, May I know when this page will be written ? How to 'see' what vFW is doing ?
Kedar Ambekar
As shown in webinar, I am able to see VES events at the collector web page.
How should these events be seen as per default vFW policy ? As per thresholds mentioned, packetsIn values should be in the range of 300 to 700 ? Could someone explain policy behavior in this regard ?
Daniel Rose
Michael Borokhovich might be better able to fill out this page with some details
Michael O'Brien
The rackspace demo VFW was deployed OK using some changes to the service install page before this - deploy "service" not the pre-populated "demoVFW". When we get traffic generation stats we will post details here shortly
thank you
/michael
Michael O'Brien
Yves and I now have traffic generation working for the vFirewall - posting details shortly
Eric Debeau
Thanks for the diagram. it is very usefull.
For distribution, I believe that TOSCA template goes towards APPC & MSO.
I am surprised that operations 25 & 26 are going towards the SDNC.
Michael O'Brien
Yes, operations 25/26 where we preload the VF Module are currently done by the robot framework outside of VID (although prior to the SDNC call - robot runs a rest call to vid for a vf_modules list via looping (/models/services/uuid)). Robot indirectly updates AAI via these SDNC post calls.
demo.sh preload updates the DB on SDNC via
In general ONAP will require more function exposure via REST in order to help out with the lack of an overall orchestrator that works with VID in 1.0.0.
If you trace the robot call from ./demo.sh - we see that eventually a post is done against SDNC in the current node js backend - that directly inserts into the VNF_PROFILE table in SDNC (This call is unfortunately directly to the DB with no ORM abstraction or validation of the actual SQL currently).
preload flow details
--------------------------
demo.robot
calls demo_preload.robot (although it screen scrapes the Service ID previously from VID - in this call it does a rest call to VID to package up the vm modules list) and calls SDNC preload with these (the diagram needs a 25-2 for robot to VID as well for this sub-step)
calls sdngc_interface.robot (logs in and posts to sdnc/mobility/addVnfProfile)
which calls the post form
<form name="addForm" role="form" action="/mobility/addVnfProfile" method="POST">
http://sdnc:8843/mobility/getVnfProfile
which runs a backend DB insert operation
/michael
Brian Freeman
Michael,
Some of the preload data is used when manual IP address assignments are needed for a VNF. In ONAP we didn't include an IPAM function (the AT&T system for that is not open source) so we re-purposed the VNF preload data function that is part of our Generic VNF flow. A future work item is to add an IPAM module to the open source SDNC (there are a few opensrouce ones) and then SDNC could assign the resources as needed. The preload step also goes away in ONAP as we push the changes to SDC to have some of that done at VNF onboarding rather than during instantiation.
Brian
Daniel Rose
we have story to do it in VID https://jira.onap.org/browse/VID-1 now we just need to make robot framework take advantage of that
Michael O'Brien
Daniel, Brian,
Good to know, I am interested in all plans around refactoring orchestration. I will be nice to see how we fully implement our orchestrator in R1 so we don't have to rely on the robot test framework + VID (the current 6 step init/create-service/create-vnf/preload/create-vf-module/appc interleaved robot/vid calls).
Daniel Rose
well VID is just front end to mso so you could easily replace vid with mso. the preload stuff is something we are working on eliminating
Brian Freeman
Michael,
See the tutorial on creating the netconf mount from SDNC to APPC. Also, preload goes away naturally so much of the interleaving would be removed but we also use Robot to do the tasks of bootstrapping the awareness of a new cloud site which wasn't a focus for the base code.
Brian
Yusuf Mirza
Hi Micheal, Team
While checking the VES events on collector URL "http://<Collector IP>:3904/events/unauthenticated.TCA_EVENT_OUTPUT/group3/sub1?timeout=5000, what is the significance of "group3/sub1' passed in the URL? In the ONAP intro webinar, the URL was containing "group1/C1" instead. How do I identify the correct URL for my environment running ONAP on vanilla OpenStack. I have tried both the combinations but getting an empty string output.
Our packet generator is working fine and I can see the traffic generated at <sink IP>:667
Thanks
Yusuf
Michael O'Brien
Yusef, very good question - I did not question why we are using group3/sub1 - I'll look into this.
I was actually given a my Postman template by Beejal (very helpful) which included the two calls to the dmaap SEC_MEASUREMENT_OUTPUT/TCA_EVENT_OUTPUT endpoints to aide in debugging the closed loop behavior - we pass around the template now - thank you.
I would have thought that we were keying off a subset of VES events (even though we only have SEC_*) but it may be that group<id1>/sub<id2> is used to offset already read messages from the message router (to aide in pagination) - I actually was doing my own state management of events coming in on a demo oss - and this would simplify things until I came across an example call in testsuite/robot/assets/templates/web/index.html.template recently - which seems to keep track of already consumed events from the topic (would assume only 1 listener?).
http://<Collector IP>:3904/events/unauthenticated.SEC_MEASUREMENT_OUTPUT/monitor/0?timeout=10000
will keep a consumer offset (via zookeeper?) and only send you new events keyed by "eventId"
However until I debug the specific endpoint in the attos/dmaap container (the dcae coll0 one not the message-router VM) - I won't be sure. Things may change as more of the VNF event streaming spec comes in for R1
In answer to your question about no traffic on the topics - the TCA call will give a [] empty output for a missing VF or a timed out call. It will also give no output if the events were already consumed - try waiting at least 60 sec between calls - in my experience /monitor/0 is more responsive
try increasing the timeout, there are no headers required so headers should not be an issue.
Do you see anything on SEC_MEASUREMENT_OUTPUT - should be an event every 10 sec - this is from the firewall to the DMaaP collector - as below.
/michael
Josef Reisinger
From my experience, there is one action missing in the diagram from APPC to traffic generator during appc (mount) from demo.sh, would be something like 39a. See more details here: APPC-76 - Getting issue details... STATUS
Michael O'Brien
Yes, I forgot about the mount creation - good one - nice! I am also in the process of recreating all my diagrams in the embedded lucidchart editor here - so we can all adjust them.
Like I started for the kubernetes page - I'll restart this diagram asap.
ONAP on Kubernetes
I am currently trying to get closed loop working as much as possible with pure rest calls (removing demo.sh and vid) - I am currently at VF-Module creation (which looks like it does not need VID) - I found a couple more and will post them as well.
UCA-20 OSS JAX-RS 2 Client
BA Cherif
Hello,
is it possible to get the bpmn triggered in step 17 and to visualize it? If not, is it possible to get information about its location or something like that?
Regards,
Chérif