sonata-nfv / tng-industrial-pilot Goto Github PK

• Basic idea and structure of Prometheus DB
• How to query data from Prometheus DB
  • With elasticsearch?
  • Integration with Python, eg, via this package?
• How to visualize query results? Any existing tools/dashboards that can be reused?

• NS: https://github.com/sonata-nfv/tng-industrial-pilot/tree/master/sdk-projects/tng-smpilot-ns1-emulator
  • VNFD for CC (start with single CDU, empty ubuntu container)
  • VNFD for EAE (start with single CDU, empty ubuntu container)
• pack.sh
• get vim-emu LLCM to deploy the networking correctly
• link artifacts from https://github.com/sonata-nfv/tng-industrial-pilot/wiki/Pilot-prototype-on-vim-emu
• make VNFs to CNFs
  • get initial (empty container) deployment to work on vim-emu (sonata-nfv/son-emu#291)
    • on-boarding
    • instantiation
  • get multi-cdu (empty container) deployment to work on vim-emu (sonata-nfv/son-emu#290)
    • on-boarding
    • instantiation
    • network configuration makes sense
• document example deployment on wiki https://github.com/sonata-nfv/tng-industrial-pilot/wiki/Pilot-prototype-on-vim-emu

This issue tracks the results of the weekly pilot tests performed by UPB.

Analyze machine data on a random basis, based on result execute immediate actions.

Leverage Grafana to build dashboards with nice graphs and alerts for the EAE: #43 (comment)

• Build on existing Grafana docker image
• K8s: Configure to connect to the CC's Prometheus CDU
• K8s:Configure dashboard to show some useful graphs
• K8s:Configure some example alerts with email notifications
• vim-emu: Configure to connect to the CC's Prometheus CDU
• vim-emu: dashboard to show some useful graphs
• vim-emu: some example alerts with email notifications

Note: If we have many NS1 (vim-emu case) you will be always logged out if you switch from one Grafana browser window to another. Not a big deal, but don't be surprised.

See: https://git.cs.upb.de/5gtango/generalInfo/wikis/industry_pilot_vnf_cc_devpage

We should have continues integration (automated testing) for this repo.

The tests should:

1. Build all Docker-based VNFs and FSMs/SSMs
2. Package (and thus validate) all SDK projects and store the resulting *.tgo files as artifacts
   • ./pack.sh in sdk-projects

• build
  • vnfs
  • package
    • BUG: packager does NOT find validator: 2019-01-28 14:51:49 jenkins tango.tngsdk.package.validator:l61 ERROR Skipping validation: tng-sdk-validate not installed?
• publish
  • vnfs
  • package
• pipeline_local.sh
  • update README's

Test Cases
We assume three test cases for the SM pilot:

Test case 1: NS1 tested in isolation

Input: Send 100 MQTT messages to NS1 (Probe A)
Tested: NS1 forwards MQTT
Output: Check if 100 MQTT messages are received (Probe B)

Test case 2: NS2 tested in isolation

Input: Send 100 Euromap63 messages to the Samba share of NS2 (Probe C)
Tested: NS2 translates Euromap63 to MQTT
Output: Check if 100 MQTT messages are received (Probe B)

Test case 3: Test NS1 + NS2 end-to end

Input: Send 100 Euromap63 messages to the Samba share of NS2 (Probe C)
Tested: NS2 translates Euromap63 to MQTT, NS2 sends to NS1, NS1 forwards MQTT
Output: Check if 100 MQTT messages are received (Probe B)

Probes Required

Probe A: MQTT generator

• simple MQTT generator

Probe B: MQTT receiver

• receive messages, log them and check if they are 100. Write results to shared folder.

Probe C: Euromap63 generator

• This is basically the digital twin

FMP must be able to trigger the SP to instantiate NS2.
It is important to do this instantiation with the correct instantiation parameters, e.g., the IP address of the already running NS1 (normal) and NS1 (quarantine).

UI for control of pilot demonstration. Manage machine park layout, add/delete machines.

please ask if information is needed, might be topic for next telco

When deploying the CC processor container through Kubernetes it repeatedly crashes. We should figure out why and fix it.

$ kubectl get pods
NAME                                           READY   STATUS    RESTARTS   AGE
ns1-cc-broker-deployment-867484cd6b-s8f7k      1/1     Running   0          8m5s
ns1-cc-processor-deployment-5d64659ff8-b7vnt   1/1     Running   3          8m5s
ns1-eae-deployment-787c944c87-8rcp5            1/1     Running   0          8m4s
ns2-dt-deployment-6f8486884-4x7cw              1/1     Running   0          8m1s
ns2-mdc-deployment-655dfddc7b-jxz6w            1/1     Running   0          8m1s

The logs are not very useful:

tango@fgcn-tango-k8s-2:~$ kubectl logs -f ns1-cc-processor-deployment-5d64659ff8-b7vnt
CC-CDU02 (processor): Starting Azure Cloud Connector ...

Any ideas? Maybe start by adjusting the print statements to use print(..., flush=True) to ensure output is flushed and shown in the logs for debugging?

Please change the tags in corresponding NS / TD

tng-smpilot-ns1-emulator.eu.5gtango.0.1

@askmyhat @tsoenen

• NS
  • VNFD for MDC (start with single CDU, empty ubuntu container)
  • VNFD for digital twin (this is a shortcut, lets deploy the twin as part of the NS to get things running for F2F)
• link artifacts from https://github.com/sonata-nfv/tng-industrial-pilot/wiki/Pilot-prototype-on-vim-emu
• test running NS on vim-emu
• document in wiki

seems like a state fetching problem

First concept design created by WEID, to be discussed with UPB on Monday

This is an intermediate step before the pilot is deployed on K8s using 5GTANGO SP, we first want to have a version that is directly deployed on K8s without 5GTANGO.

TODOs

See corresponding wiki entry

• adopt VNFs
  • prepare Dockerfiles
  • fix crashing CC processor (see #89)
• prepare K8s deployment descriptors
  • Deployments for starting the containers
  • Deployment of each CDU in a separate pod
  • Services for accessing the containers (from outside, eg, for eae)
  • Ingress for simplified external access? Or simply setting a fixed nodePort? Optional for now.
• prepare service descriptors and figure out interconnection of CDUs
  • Test connection from MDC to CC processor via CC broker using mosquitto CLI
  • Integrate and tests all CNFs of NS1 and NS2 to work together
• move DT outside of NS2 and k8s and connect to MDC from the outside
• combine all CDUs of one CNF in one deployment and pod that's reachable through one k8s service
• add new CC CDUs: Prometheus DB and exporter

This issue captures the developments and TODOs for the first working demo we are going to show in Dublin.

Demo will involve: DigitalTwind -> MDC -> CC -> EAE all deployed on vim-emu.

Documentation: https://github.com/sonata-nfv/tng-industrial-pilot/wiki/Pilot-prototype-on-vim-emu

Todos and open issues

Deployment on vim-emu

• create descriptors for NS1
• create descriptors for NS2
• test deployment of NS1 and NS2 on vim-emu
• test NS internal network connectivity
• enable connectivity from NS2 to NS1
  • not working right now, each service has its own subnet. we need to somehow route between the networks
  • add a router VNF to NS2 with a uplink interface that we can connect to the subnet of NS1
  • configure router's uplink interface to have IP in NS1 subnet
  • configure switch to add uplink to the vlan of NS1
  • configure router to have ipv4 forwarding enabled and correct routes set
    • create router VNF
    • link RTR as a new artifact from the wiki
  • configure MDC VNF to have RTR as default gateway to reach CC in NS1
• ...

VNF internals (software, configurations etc.)

• CC-CDU01: Broker
  • basic container with installed Mosquitto
  • can we show the messages somehow? (output is piped to /mosquitto.log for now)
    • docker exec -it mn.vnf_cc.cdu01 mosquitto_sub -h 30.0.1.1 -p 1883 -v -t machines/+/sensors/+
• CC-CDU02: Processor
  • create custom Docker image
  • integrate WEID software (without Azure keys (!!!!))
  • add keys to server
  • add a custom script that subscribes to broker and dumps all messages to a file (enough for Dublin presentation) pushes it to WEID's Azure cloud
• MDC
  • add MQTT client script to MDC to check that MDC can connect to CC-CDU01 and let it send random data (/mqtt_generator.sh)
  • add real MDC code from WEID
  • add Samba/NFS to create a shared folder to which the DT connects
• DigitalTwin
  • add DT code from WEID
  • configure to use shared folder from MDC
    • fix permissions when files and folders should be created
    • check if we have a race condition in the emulator? MDC needs to be up before DT connects
  • try forwarding to get access to DT's web interface from remote -> Does require port in emulator -> vim-emu update (DONE make a new issue from this: sonata-nfv/son-emu#295)
  • add autostart functionality to IMMS.py (command line parameters to start it)

Bugs

• Running mosquitto blocks emulator shutdown (starting process in background with & solves it)

Others

• create a detailed network diagram of the demo (show subnets, CDUs, IPs per CDU, OVSs, NAT, ...)
• check if the old emulator dashboard still works (nice for demos)
  • Not integrated anymore! Must do. Use temp solution on local machine (Bookmark bar "Emu. Dashbaord")

Known Issues

• docker needs to run privileged to allow mount of SAMBA share (won't work in K8s)

Provide relevant data for AR maintenance. One idea is to use data from VNF Edge Analytics Engine here.

Detect all attacks on machine network, created once per machine park

This VNF is used in several network services, specific paramter sets are needed.

seems like a state fetching issue

When doing: https://github.com/sonata-nfv/tng-industrial-pilot/wiki/Pilot-prototype-on-vim-emu

The pilot stops working after about 5 minutes.

My first impression is that something between DT and MDC breaks and thus no new messages are published to the broker. The DT and MDC applications as such seem to be still running. Samba? (but this is only a first impression!)

I would assume similar things will happen on K8s.

Need to investigate further ...

This small auxiliary component intents to solve the problem that FSMs are not reachable from the outside making it hard to trigger manual reconfigurations, e.g., from the FMP. The idea is to run this small component next to the FMP. The FMP could access it using a REST API provided by the SDMP-CC. The FSM in turn connects to the SMP-CCS and opens a gRPC server stream connection. Using the the SMP-CCS can trigger actions in the FSM whenever it wants, still the FSM needs not to be reachable from outside. The only assumption here is that the FSM can reach the SMP-CCS, which can easily be realised, e.g., by hosting the SMP-CCS in the public Internet.

Code location: tools/smp-ccs
README and documentation: here

The SMP-CC is deployed at UPB's premises and reachable from the Internet:

• Host: fgcn-tango-smp-ctrl.cs.upb.de
• gRPC: 9012/TCP
• REST: 9011/TCP

curl -X GET fgcn-tango-smp-ctrl.cs.upb.de:9011/api/v1/ssmstatus

   {private}                        {public}
+------------+                 +-----------------+
|            |                 |     SMP-CC      |
|    FMP     |-----REST------->|(e.g. in Docker) |
|            |                 |                 |
+------------+                 +-----------------+
                                   ^        |
                                   |  (2) gRPC srv.
                                   |     stream
                               (1) gRPC     |
                                 req.       |
                                   |        |
                    + - - - - - - -|- - - - + - - - - - - - +
                                   |        v
                    |          +-----------------+          |
                               | +---------------+-+
                    |          +-+ +---------------+-+      |
                                 +-+       SSM       |
                    |              +-----------------+      |

                    |                                       |
                                 SONATA-NFV MANO
                    + - - - - - - - - - - - - - - - - - - - +
                                    {private}

Ports (e.g. fgcn-tango-vpn.cs.upb.de):

• REST: 9011
• gRPC: 9012

See: https://github.com/sonata-nfv/tng-industrial-pilot/wiki/FSM-SSM-Development

TODOs

• setup basic code skeleton
• implement basic gRPC examples
• implement full gRPC interface and clients
• allow PUT to update state of a give SSM (and multiple SSMs)
• create example showing how to toggle the quarantaine
• ensure that states are removed if SSM disconnects
• make gRPC client robust and reconnect when something breaks
• make gPRC client running in a separated thread (to move the code to the SSM)
• package the server as docker and describe its usage
• integrate client into SSM
  • when SSM starts, the SMP-CCC needs to register to the SMP-CCS
  • test that SSM is deployed correctly with NS2 and that the trigger from the outside reaches it
  • add logging of register events to server part for better monitoring
  • when the SSM reconfigures because of the monitoring event, the SSM-wide state must be updated
  • when a state update from the SMP-CCS arrives, the configure_event of the SSM needs to be triggered (implement SMP-CCC callback function)
    • call callback method
    • generate and send broker message that triggers the real configure_event
    • test this in real infrastructure
  • skip reconfiguration when state is already set (optional for first version)
    • monitor trigger
    • manual trigger
  • be able to reset quarantine state using the manual trigger
    • change FSM accordingly
    • change SSM accordingly
    • pass information from FSM to SSM quarantine_state
      • BUG: SSM does always send quarantine_state=Ture
    • test in real deployment
  • Optional: can we somehow send back state updates if SSM is triggered by monitoring? -> additional connection? bi-stream?
  • do a full test
• integrate FMP to SMP-CCS

This should now be possible through: sonata-nfv/son-emu#294

This will be needed for NetSoft'19!

Create a second Wiki page to document the execution of such a scenario.

Challenge: OVS config for uplink port

• monitoring trigger
• manual trigger

Not sure if this is really needed. But lets keep it in this issue.

Based on the native K8s services, and the emulator services, create a version of the pilot that can be deployed by the 5GTANGO SP on K8s.

See Felipe's initial work #75

See K8s-native issue #72

See updated Dockerfiles and descriptors: #77

Once triggered, the FSM belonging to the MSF (MDC, Suricata, Filebeat) CNF should restart the CNF and set a new value for the MQTT_BROKER_HOST env var.

Will require adjusting the code of the FSM here: https://github.com/sonata-nfv/tng-industrial-pilot/blob/master/fsms/mdc-fsm/mdc/mdcfsm.py#L149

Belongs to use case 2: #31

Connects a machine to NS2. The machines provide an ethernet connector, exchange protocol has to be defined.

Prometheus seems to be a perfect fit for this sensor data use case at the edge.

Prometheus either pulls the metrics or needs a separated "pushgateway" to push data to it.

Design: Add a 4. CDU running the push Gateway. Let the CC processor push the metrics received on the broker to Prometheus.

• vim-emu workflow

TODO

• setup :vimemu Containers
• run and test containers locally
• push some metrics
• re-test current state on vim-emu to check everything works
• custom Prometheus container compatible to vim-emu
• custom Pushgateway container compatible to vim-emu
• update vim-emu descriptors and include CC.cdu04
• update documentation figures
• push metrics from CC processor (each sensor value is one metric)
• run/integrate everything on vim-emu
  • how to check if data arrives in Prometheus without accessing the web-interface? Fixed: sonata-nfv/son-emu#295
• redesign to have a MQTT subscriber that offers a prometheus data exporter
  • replace PUSHGW by mqttexporter
  • get MQTT messages
  • export data to Prom.
  • remove old code from CC processor
  • update documentation (cdu03 = mqttex; cdu04=db)
• increase prometheus scraping time? otherwise the sine curve is hard to see
• check for stability -> #106
• extend vim-emu documentation with important commands for debugging etc. and explain how to check if everything works
• ... migrate everything to the K8s service (reference this in #72 )

Will require a bi-directional gRPC streaming connection.

The IDS matches the SMB client names to detect bad clients.

To get this working, we need to set the name of the SMB client (the one running in the IMMS/DT container) to be machine1 (that is the default we agreed for now).

We need to investigate how this can be done. Need to google a bit.

Not an issue in small deployments but becomes problem if many deployments are done.

Check if there is any busy waiting or so?

Testing with the latest version of NS2+IDS, the Kibana server never comes up and trying to access it only shows Kibana server is not ready yet - even 10min after instantiation.

Example:

• https://int-sp-ath.5gtango.eu/service-management/network-services/network-service-instances/ec2f7c0d-42ae-4dc7-8624-a56418cab6dd
• http://10.200.16.14:5601/

Connect and separate machine to machine park (NS1).

The FMP must be able to trigger the remote CC server to trigger/reset the quarantine status of NS2.

This will be done through the REST interface of the CC.

The FMP should also display (and maybe constantly poll) the current quarantine status from the CC.

Notices this today:

If I run 2 instances of NS2 connected to NS1, NS1 receives MQTT messages like these from both NS2 instances:

WIMMS/EM63/DATE 20190613
WIMMS/EM63/TIME 12:34:54
WIMMS/EM63/@ActSimPara1 5
WIMMS/EM63/@ActSimPara2   1.3324
WIMMS/EM63/ActCntCyc 588
WIMMS/EM63/ActCntPrt 587

This does not allow to distinguish which machine sends which message.

So it will make sense to include the source machine name (whatever it is) into the topic, like:

WIMMS/EM63/ActCntPrt/<machine_name>

or

WIMMS/EM63/<machine_name>/ActCntPrt

Using subscribe commands with different wildcards, NS1 can then easily filter by machine etc. e.g.: subscribe WIMMS/EM63/ActTimCyc/+ gets a single metric for all machines. or subscribe WIMMS/EM63/+/m1 gets all metrics for machine m1 etc. etc.

Not sure if I will have time to work on this before the NetSoft demo. Let's see.

Control instance for the management of network services and VNFs based on machine topology defined in the portal.