1, F-GPS:
Please refer to the patch https://gerrit.onap.org/r/#/c/78634/ which elaborate how to enhance current API to support F-GPS.
...
2, SO/MC integration
Create Workload: https://wiki.onap.org/display/DW/SO+to+Multicloud+API+enhancements
AAI updating: https://wiki.onap.org/pages/viewpage.action?pageId=58228881
SDC design: https://gerrit.onap.org/r/#/c/75851/ , SDC Service Software Architecture
3, FCAPS enhancement
| Jira | ||||||
|---|---|---|---|---|---|---|
|
...
b, MultiCloud NBI should allow consumers to specify the tenant name/id during the requesting the API to MultiCloud. This can be done on various way, the easy and backward compatible approach is to having consumers putting the tenant ID/name into the "optional" request headers of the Rest API call.
5, Secured-communication enablement
...
- uwsgi https option
The multicloud services which are based on uwsgi could utilize the https feature of uwsgi: https://uwsgi-docs.readthedocs.io/en/latest/HTTPS.htmlYou probably have to rebuild uwsgi with ssl-support:
On a debian server with uwsgi installed by pip this would be (as root):
apt-get install libssl-dev pip install uwsgi -I --no-cache-dir-Ifor reinstall,--no-cache-dirfor building new from scratch. - cert files
The question would be: who/how to generate key and cert ?Follow the practice of MSB project, multicloud service will generate our own keys/certs and put them in the docker by default. And also make sure these keys/certs can be overrided by OOM helm chart , just like the logging settings.
It is suggested that we follow the same pattern, put the generated certs under pub/ssl/cert/ with name cert.crt and cert.key
- ENV variable to enable/disable https on the same port
I don't believe the http and https endpoint should co-exists which make no sense from security perspective. So I recommend that the http/https should be toggled by an ENV variable and binding to the same port
The ENV variable could be: SSL_ENABLED, to enable https endpoint, set SSL_ENABLED=true ; otherwise just leave it unset or set to some other value (SSL_ENABLED=false, e.g.)
The entry point of docker container will check this ENV var and determine to enable https or http mode for uwsgi. - example patch: https://gerrit.onap.org/r/#/c/81829/ + https://gerrit.onap.org/r/#/c/81912/
6, Security Requirement: Run microservice as non-root user
...
| Jira | ||||||
|---|---|---|---|---|---|---|
|
Reference:
- Docker/OCI CIA- Container Images - Best Practices and Tools
- Reduction effort between Casablanca and Dublin
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
Image footprint optimization exercises: 1, original dockerfile => (multicloud-broker-orig: 846MB) Dockerfile: FROM python:2 2, rebase to python:2-slim => (multicloud-broker-slim1: 410MB) Dockerfile: FROM python:2-slim apt-get install -y unzip gcc pip install -r ... apt-get remove -y unzip gcc 3, remove unused packages => (multicloud-broker-slim2: 296MB) Dockerfile: FROM python:2-slim apt-get install -y unzip gcc pip install -r ... apt-get remove -y unzip gcc /opt/multivimbroker/requirements.txt #redis cache #redis==2.10.5 #for access redis cache #redisco==0.1.4 #django-redis-cache==0.13.1 #for call openstack api #python-keystoneclient==3.6.0 #python-glanceclient==2.5.0 #python-neutronclient==6.0.0 #for unit test #django-nose>=1.4.0 #coverage==4.2 #mock==2.0.0 #unittest_xml_reporting==1.12.0 #for pecan framework #pecan>=1.2.1 #oslo.concurrency>=3.21.0 #oslo.config>=4.11.0 #oslo.service>=1.25.0 #eventlet>=0.20.0 4, Remove all unused utils package => (multicloud-broker-slim4: 194MB) Dockerfile: FROM python:2-slim apt-get install -y wget unzip gcc apt-get --purge remove -y wget unzip gcc apt-get -y autoremove multicloud-broker-slim4 latest 4452cb69a1be 6 minutes ago 194MB multicloud-broker-slim2 latest 3c232d46c0fa 10 minutes ago 296MB multicloud-broker-slim1 latest 5ba81358eb19 16 minutes ago 410MB multicloud-broker-orig latest 7601a4382bb0 10 days ago 846MB python 2-slim f2ac6489d817 10 days ago 120MB |