Image Manager

Created by Zi Li, last modified by Kenny Paul on Dec 15, 2020

Declined by TSC as a stand-alone project TSC 2018-01-04. Recommended as a component of Active and Available Inventory Project

Project Name:

Proposed name for the project: Image Manager

Project description:

Image Manager provides a reliable, logically centralized, user-friendly image management for ONAP at both the design time and run time. The managed objects include VM images, Docker images and software packages. By using image manager, ONAP users can upload images to ONAP system, manage images via Image Manager portal and distribute images to target VIMs on demand.

Usability:

ONAP modules can't get the image information easily at both the design time and run time because images are scattered in the VIMs. Image Manager addresses this problem by providing a centralized image catalog view and APIs for the other modules to access image information.

Manageability:

It’s very hard for ONAP user to figure out what images have been used by ONAP platform or uploaded to the VIMs. Image Manager addresses this challenge by providing a UI portal for ONAP user to manage images, including browse/upload/update/delete/distribute images.

Performance:

Currently, If an image needs to be uploaded to multiple VIMs, it has to be done separately and manually via the VIM portals, which is inefficient(imagine there might be thousands of edge clouds). Image manager addresses this issue by providing a centralized view and the images can be distributed to multiple VIMs via the Image Manager portal, which is much more efficient.

Scope:

Provide logically centralized management for images used by ONAP system, which includes VM image, Docker image, and application package.
Provide APIs to upload images to ONAP system.
Provide APIs to access the image catalog and image information in ONAP system.
Provide a UI portal in which the ONAP user can upload/update/delete/distribute images.

Architecture Alignment:

How does this project fit into the rest of the ONAP Architecture?
- Image Manager(IM) is a common service across design time and run time.
  
  Onboard images to ONAP system:
  
  Dispatch images to VIMs:
What other ONAP projects does this project depend on?
- Multi-VIM
- MSB
- Integration
How does this align with external standards/specifications?
- APIs/Interfaces - OpenAPI/Swagger
- Information/data models - Swagger JSON
Are there dependencies with other open source projects?
- APIs/Interfaces - MariaDB

Other Information:

link to seed code (if applicable)
Vendor Neutral
- All proprietary trademarks, logos, product names, will be removed when submitting the seed codes.
Meets Board policy (including IPR)

Use the above information to create a key project facts section on your project page

Key Project Facts:

Primary contact: li.zi30@zte.com.cn zhao.huabing@zte.com.cn

Facts	Info
PTL (first and last name)
Jira Project Name	Image Manager
Jira Key	IM
Project ID	Image Manager
Link to Wiki Space

Release Components Name:

Note: refer to existing project for details on how to fill out this table

Components Name	Components Repository name	Maven Group ID	Components Description
Image Manager	im	im	Image Manager

Resources committed to the Release:

Note 1: No more than 5 committers per project. Balance the committers list and avoid members representing only one company.

Note 2: It is critical to complete all the information requested, that we help to fast forward the onboarding process.

Role	First Name Last Name	Email Address
PTL
Committers
	Zi Li	li.zi30@zte.com.cn
	Tao Shen	shentao@chinamobile.com
	Hu Yuan	yuan.hu1@zte.com.cn
Contributors
	Bo Lv	lv.bo163@zte.com.cn
	Qihui Zhao	zhaoqihui@chinamobile.com
	Luman Wang	wanglm.bri@chinatelecom.cn
	Chen Yan	chenyan.bri@chinatelecom.cn
	Eric Debeau	eric.debeau@orange.com
	Kaiyue Wang	wangkaiyue@chinamoblie.com

No labels

31 Comments

Zi Li
This proposal has been discussed in both SDC weekly meeting and Architecture meeting.
SDC 6/11/2017 weekly meeting report
November 14
- Permalink
- Nov 16, 2017
Andrei Kojukhov
Hi Zi Li,
I have a couple of questions regarding the picture:
- What is a meaning of numbers within the picture (1,2,3,...)
- I believe that SDC extracts the Image (or its metadata) from the package and upload the image to hte the image storage. Right?
Andrei
- Permalink
- Nov 16, 2017
1. Zi Li
  Hi Andrei,
  Sorry for confusion about the 1,2,3 in picture, it refers to a series interface between Image Manager and other components. The pic have been updated. : )
  You are right for the second question. There will be two ways to upload the images to image storage. One is upload from SDC, the other is upload from Image Manager Portal.
  
  Thanks,
  LiZi
  Permalink
  
  Nov 16, 2017
Andrei Kojukhov
LiZi,
Tks, so (2) is not only query but also an upload - please update the picture interfaces
BR,
Andrei
- Permalink
- Nov 16, 2017
1. Zi Li
  Done for the interface between SDC and Image manger.
  Thanks,
  LiZi
  Permalink
  
  Nov 17, 2017
Michael Lando
i have an issue with the diagram you provided for the flow.
the user will not upload the image directly to image storage.
no SP will allow image uploading without some sort of security scan.
you are missing a number of components in your flow,
you do not reference vnf sdk which is responsible for packaging and you are not referencing VVP which is responsible for the image scanning.
- Permalink
- Nov 16, 2017
1. Zi Li
  Hi Michael,
  Thanks for your feedback. Yes, there should be flow about vnf sdk. I was just thinking of how the process would be with vnf sdk. After discuss with vnf sdk team, I will update that diagram.
  Thanks,
  LiZi
  Permalink
  
  Nov 17, 2017
  1. Michael Lando
    you should also have a discussion with VVP since they are responsible for the image scanning.
    in the end, vnf sdk are for vendors and they will not be pushing images directly to image repository.
    
    Permalink
    
    Nov 19, 2017
  2. Edan Binshtok
    Hi Zi.
    VVP includes image scanning so VVP can Push/forward the images into image manager.
    Just for clarificartion VVP doesn't sit inside VNF SDK only VVP validation scripts which are not connected to image scanning.
    Therefore it's not connected to the vnf sdk in this scenario and shouldn't be encapsulated inside of it.
    
    Permalink
    
    Nov 21, 2017
    1. Zi Li
      
      Hi Edan,
      Thanks for your reaching out. I have some questions about VVP. Where the image checking result will be stored? What is the output of image scanning? Is it a image with signing/certification? Is there any connection between VVP and SDC?
      LiZi
      
      Permalink
      
      Nov 21, 2017
      1. Edan Binshtok
        
        Great questions.
        The results are stored on VVP DB.
        One of the action items for the next release is determining the signatures + APIS for consumptions or results and implementing it.
        Since you guys + SDC we'll probably be direct consumers let's talk it out and come out with a good solution.
        
        Permalink
        
        Nov 21, 2017
Andrei Kojukhov
A VNF package on-boarding flow should be added - I did not see it in the Project proposal presentation. To my understanding this is by far a main scenario of using the Image manager.
- Permalink
- Nov 17, 2017
1. Zi Li
  Hi Andrei,
  VNF package on-boarding is out of scope for Image Manager. SO/VF-C/VNFM will responsible for VNF package on-boarding.
  Permalink
  
  Nov 21, 2017
  1. Andrei Kojukhov
    Not exactly. VNF package includes SW images locally or externally referred by metadata. SDC (or VVP) extracts the images, checking their integrity (digest) and authenticity (signature/certificate) before uploading the images into image repo/db. The Image manager is probably an end-point in the flow but we have to agree on it end-to-end involving different projects: as a minimum VNF-SDK, SDC, VVP and Image manager.
    
    Permalink
    
    Nov 24, 2017
Manoj Nair
Couple of questions
- Where exactly in the sequence diagram the image is uploaded to VIM ? I can see the image is uploaded to the Multi-VIM. So here the assumption is that Multi-VIM will take care of uploading the image to VIM ?
- Is it a good idea to store the images in a git repository than the ftp repository show. I guess with this you can also leverage version control , secure channel , access control , CLI integration etc. This may also enable image manager to store the images in an external repository.
- Going forward will the scope of Image manager also cover management of images for ONAP components ? For example dynamic Service components loaded in DCAE ?
- How is the images embedded within the VNF package handled ?
- How is multi-VDU VNF (VNF with multiple VMs like Clearwater vIMS) image flows handled ? I think this will require additional steps for associating VNF with VDU image
- Permalink
- Nov 23, 2017
1. Zi Li
  Hi Manoj,
  Actually from SO/VFC transfered the image URL to Multi-VIM. Multi-VIM download/copy the image from Image Repository to target VIM.
  Images usually are big files, I am not sure whether git repository fit for big files. Anyhow we have made a consequence with Multi-VIM team that Multi-VIM to provide the Image repository to store Images.
  Good suggestion. Image Manager provide the manage function for docker images which could be the ONAP components docker images or the other docker images. I think we need highlight this function.
  According to ETSI, image and VNF package can be managed separately. The image reference information(it may be image url) can be defined in VNF template. If users import a VNF package which contains an image. SDC extracts the Image and store it through Image Manager. This flow detail need further discussion with SDC team I think.
  The VNF template will define the image information and describe the relationship between VNF and each VDU.
  
  Thank you for your comments and suggestions. It helps
  Permalink
  
  Nov 23, 2017
  1. Andrei Kojukhov
    Hi Zi Li,
    You answer (4) relates to the end-2-end onboarding flow that I requested to develop with other teams (SDC is one). Your design time flow can be applicable for this purpose. You just need to separate the VNF-SDK and VVP, put more details about specific operation of each element and ask other projects to review the flow,
    Also VVP should not issue an image certificate if an image is provided by a VNF vendor. VNF vendor issues it own signature/certificate or forwards a certificate of a 3-party image provider.
    Andrei
    
    Permalink
    
    Nov 24, 2017
    1. Michael Lando
      
      I think that the certification done in VVP is that tests executed on the vnf meaning that the tosca is valid and that the image is scanned for viruses.
      vvp.
      it is an addition to the certificate provided by the vendor.
      Edan Binshtok
      
      Permalink
      
      Nov 26, 2017
      1. Edan Binshtok
        
        Agreed. VVP should also support image signature since the service providers would most likely want to make sure internally (with VVP hosted on his side) the validity of the image on not rely solely on the vendor.
        
        Permalink
        
        Nov 26, 2017
      2. Andrei Kojukhov
        
        Michael,
        If you see the image scanning as part of the VNF certification tests (besides others like TOSCA validation etc.) that will be provided by the Citification/Validation Authority (VVP OAVVA or something) I agree with you but we have to clearly state this in the flow or dedicate a certification flow as part of VVP Project, That would be an ONAP certificate. We also need to figure out if and how ONAP would be CA.
        However, there are use cases with multiple SP's where such scan can't be possible because of encryption where keys are shared between an image provider and an end-user SP.
        
        Permalink
        
        Nov 26, 2017
  2. Edan Binshtok
    Zi Li, Manoj Nair
    Regarding 2, you are right we at VVP came to the same conclusion with our run-time product.
    Git is NOT a proper solution to store big files.
    This is why we implemented and ceph/rados gatway with s3 bucket protocol specifically for image storing.
    We'd love to share the tech details if you wish.
    
    Permalink
    
    Nov 26, 2017
Andrei Kojukhov
Zi Li,
I feel that your run-time flow should be corrected. I'm confused by seeing that SO/VFC does a VNF package on-boarding instead of SDC.
SDC should always do a VNF package onboarding including all necessary validation and security check. Afterwards SDC distributes the whole CSAR or parts of it to all consumers (including SO/VFC)
Andrei
- Permalink
- Nov 24, 2017
Michael Lando
as part of the ingestion of the vnf sdc will ingest the csar and upload the image to image repository.
from there so and vfc can retrieve it according to the info in the service distributed by sdc.
the sdc communication should be limited to the csar package this way we decouple the runtime from design time.
i do not think there should be a flow were vfc and so ask sdc to upload an image.
- Permalink
- Nov 26, 2017
Andrei Kojukhov
Michael, So what is the VNF package onboarding arrow between UI and VFC/SO in the run-time flow above?
- Permalink
- Nov 26, 2017
Viswanath Kumar Skand Priya
Hi Zi Li,
I have few queries..
- What happens if SDC on-boarding ( after VVP certification ) fails for some reason? Will the uploaded image be discarded / ignored / flagged ?
- Will the images from image managed, be moved to VIM ( through SO/VF-C ) only during run-time ?
- Can image manager update images across multi-vim administratively without SO/VF-C's involvement? esp in hot-patch updates cases?
- In-case of embedded images, will the SDC flow still involve VVP ?
- Will image manager be used even for VNF upgrades scenarios ( might be in near future ) ?
BR,
Viswa
- Permalink
- Dec 07, 2017
Srinivasa Addepalli
I understand from today TSC meeting that this project is no longer a proposed project. I also see here that it is moved to "Draft project" folder. Why is this change? Is it being combined with some other project? or is this functionality found to be not necessary?
- Permalink
- Dec 07, 2017
1. HuabingZhao
  I got feedback from the community that image manager is necessary for operators.
  Permalink
  
  Dec 13, 2017
Stephen Terrill
Hi,
A question and a suggestion.
As a question, does SDC have to query VVP for validation or is that an example.
As a suggestion, the follows are described as part of the project scope. That means that are the flows that you have to deliver. I suggest you move them to the architecture alignment, and keep the scope simple. The scope should describe the project deliverables irrespective of the release.
Steve.
- Permalink
- Dec 12, 2017
1. HuabingZhao
  Hi Steve,
  Thanks, I updated the proposal according to your suggestion.
  Regarding the question, from what I got from SDC team, VVP will be part of Beijing and be used for VNF validation.
  Permalink
  
  Dec 12, 2017
Jason Hunt
Thank you for the proposal. A few questions:
- Today in Amsterdam, do I understand that image management is external to ONAP?
- Could image manager be a function underneath the SDC Catalog? Perhaps a subproject to SDC?
- Permalink
- Dec 13, 2017
1. HuabingZhao
  First question: Yes, there is no image management functionality in ONAP currently, images need to be manually uploaded to multiple VIMs in Amsterdam.
  Second question: We have discussed that option with SDC team. They think SDC is in the design time, but image manager is a component should be in both the design time and run time.
  Permalink
  
  Dec 13, 2017

Space shortcuts

Page tree