Modify SDC guide for snort/lb config change from CLI

- Convert instructions on how to modify runtime config of snort-ids and http-lb services using cloverctl rather than using python gRPC client script - Remove A-B validation from the SDC guide and from the config guide index, as it was not updated from Fraser to Gambia - Add a yaml to add icmp ids rule Change-Id: I0c5391d9eac0130586d4ab25543a3d308c2ed558 Signed-off-by: earrage <eddie.arrage@huawei.com>
author: earrage <eddie.arrage@huawei.com> 2018-11-09 13:30:29 -0800
committer: earrage <eddie.arrage@huawei.com> 2018-11-09 13:31:58 -0800
commit: 82c9058898b1d5eb3155d7c969176533f509ffc5 (patch)
tree: ffef76e49fef51afad39fc2475a179cfced92c5e
parent: f9a0e3cea4ac15c0be8eb9ba82776773e4403079 (diff)
3 files changed, 32 insertions, 41 deletions
diff --git a/clover/cloverctl/src/cloverctl/yaml/idsrule_icmp.yaml b/clover/cloverctl/src/cloverctl/yaml/idsrule_icmp.yaml
new file mode 100644
index 0000000..44ece96
--- /dev/null
+++ b/clover/cloverctl/src/cloverctl/yaml/idsrule_icmp.yaml
@@ -0,0 +1,9 @@
+sid: "10000001"
+protocol: icmp
+dest_port: any
+dest_ip: $HOME_NET
+src_port: any
+src_ip: any
+msg: icmp_test
+rev: "001"
+content: ''
diff --git a/docs/release/configguide/index.rst b/docs/release/configguide/index.rst
index 41c1eca..d0c446e 100644
--- a/docs/release/configguide/index.rst
+++ b/docs/release/configguide/index.rst
@@ -14,7 +14,6 @@ Clover Configuration Guide
 
    controller_services_config_guide.rst
    sdc_config_guide.rst
-   a_b_config_guide.rst
    jmeter_config_guide.rst
    visibility_config_guide.rst
    modsecurity_config_guide.rst
diff --git a/docs/release/configguide/sdc_config_guide.rst b/docs/release/configguide/sdc_config_guide.rst
index 7b7e77a..a50795f 100644
--- a/docs/release/configguide/sdc_config_guide.rst
+++ b/docs/release/configguide/sdc_config_guide.rst
@@ -409,10 +409,9 @@ Modifying the run-time configuration of services
 ================================================
 
 The following control-plane actions can be invoked via GRPC messaging from a controlling agent.
-For this example, it is conducted from the host OS of a Kubernetes cluster node.
-
-**Note, the subsequent instructions assume the flannel network CNI plugin is installed. Other
-Kubernetes networking plugins may work but have not been validated.**
+For this example, it is conducted from the host OS of a Kubernetes cluster node using Clover
+system services. This requires **clover-controller** and **cloverctl** CLI be deployed. See
+instructions at :ref:`controller_services_controller`.
 
 .. _sdc_modify_lb:
 
@@ -421,21 +420,16 @@ Modifying the http-lb server list
 
 By default, both versions of the load balancers send incoming HTTP requests to
 **clover-server1/2/3** in round-robin fashion. To have the version 2 load balancer
-(**http-lb-v2**) send its traffic to **clover-server4/5** instead, issue the following command:
+(**http-lb-v2**) send its traffic to **clover-server4/5** instead, issue the following command
+from the **cloverctl** CLI::
 
-.. code-block:: bash
+    $ cloverctl set lb -f lbv2.yaml
 
-    $ sudo docker run --rm \
-    -v ~/.kube/config:/root/.kube/config \
-    opnfv/clover \
-    /bin/bash -c 'python /home/opnfv/repos/clover/samples/services/nginx/docker/grpc/nginx_client.py \
-    --service_type=lbv2 --service_name=http-lb-v2'
+The ``lbv2.yaml`` is available from the yaml directory relative to the **cloverctl** binary.
 
 If the command executes successfully, the return message should appear as below::
 
-    Pod IP: 10.244.0.184
     Modified nginx config
-    Modification complete
 
 If several more HTTP GET requests are subsequently sent to the ingress, the Jaeger UI should
 begin to display requests flowing to **clover-server4/5** from **http-lb-v2**. The **http-lb-v1**
@@ -464,40 +458,35 @@ for the alerts. Drilling down into the trace will show a GPRC message from snort
     $ wget -U 'asafaweb.com' http://10.244.0.1:32410/
 
 Or alternatively with curl, issue this command to trigger the alert:
-
+:
 .. code-block:: bash
 
     $ curl -A 'asafaweb.com' http://10.244.0.1:32410/
 
 The community rule can be copied to local rules in order to ensure an alert is generated
-each time the HTTP GET request is observed by snort using the following command.
+each time the HTTP GET request is observed by snort using the following commands from
+the **cloverctl** CLI::
 
-.. code-block:: bash
+    $ cloverctl create idsrules -f idsrule_scan.yaml
+    $ cloverctl stop ids
+    $ cloverctl start ids
 
-    $ sudo docker run --rm \
-    -v ~/.kube/config:/root/.kube/config \
-    opnfv/clover \
-    /bin/bash -c 'python /home/opnfv/repos/clover/samples/services/snort_ids/docker/grpc/snort_client.py \
-    --cmd=addscan --service_name=snort-ids'
-
-Successful completion of the above command will yield output similar to the following::
+The ``idsrule_scan.yaml`` is available from the yaml directory relative to the **cloverctl**
+binary. Successful completion of the above commands will yield output similar to the following::
 
-    Pod IP: 10.244.0.183
-    Stopped Snort on pid: 34, Cleared Snort logs
-    Started Snort on pid: 91
     Added to local rules
+    Stopped Snort on pid: 48, Cleared Snort logs
+    Started Snort on pid: 155
 
-To add an ICMP rule to snort service, use the following command:
+To add an ICMP rule to snort service, use the following command::
 
-.. code-block:: bash
+    $ cloverctl create idsrules -f idsrule_icmp.yaml
+    $ cloverctl stop ids
+    $ cloverctl start ids
 
-    $ sudo docker run --rm \
-    -v ~/.kube/config:/root/.kube/config \
-    opnfv/clover \
-    /bin/bash -c 'python /home/opnfv/repos/clover/samples/services/snort_ids/docker/grpc/snort_client.py \
-    --cmd=addicmp --service_name=snort-ids'
+The ``idsrule_icmp.yaml`` is available from the yaml directory relative to the **cloverctl**
 
-Successful execution of the above command will trigger alerts whenever ICMP packets are observed
+Successful execution of the above commands will trigger alerts whenever ICMP packets are observed
 by the snort service. An alert can be generated by pinging the snort service using the flannel IP
 address assigned to the **snort-ids** pod. The Jaeger UI can again be inspected and should display
 the same ``ProcessAlert`` messages flowing from the **snort-ids** to the **proxy-access-control**
@@ -622,12 +611,6 @@ custom rule is ``10000001`` and is output in the above listing.
 
 To exit the Redis CLI, use the command ``exit``.
 
-A-B Validation
---------------
-
-Please see the configuration guide at :ref:`a_b_config_guide` for details on
-validating A-B route rules using the sample in this guide.
-
 Uninstall from Kubernetes envionment
 ====================================
author	earrage <eddie.arrage@huawei.com>	2018-11-09 13:30:29 -0800
committer	earrage <eddie.arrage@huawei.com>	2018-11-09 13:31:58 -0800
commit	82c9058898b1d5eb3155d7c969176533f509ffc5 (patch)
tree	ffef76e49fef51afad39fc2475a179cfced92c5e
parent	f9a0e3cea4ac15c0be8eb9ba82776773e4403079 (diff)