Age | Commit message (Collapse) | Author | Files | Lines |
|
Change-Id: I70b766fe26e750fef6a622344d69ad4f6e2b8962
Signed-off-by: Yujun Zhang <zhang.yujunz@zte.com.cn>
|
|
|
|
- Incorporated feedback from doc reviews
- Fix some rendering issues
- Add redis inspect section
- Update SDC deploy instructions using Fraser release tag
Change-Id: I573dcd04066ad83b9c659fae645c65ab4aaa2007
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
- Updated the SDC toplevel manifest to use the 'opnfv-6.0.0' tag
- Updated the yaml rendering scripts for individual services
under snort/nginx to use opnfv docker images
Change-Id: I90ef2a8ff5fcc47076192cb556a3a0ff3a9bd846
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
- Document A-B sample validation script
- Remove redundant TOC in docs
- Provide reference links in SDC guide
- Additional edits to SDC guide
Change-Id: Id4135c99df688f7de1af18017c847a6546082bfc
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
- Provided some overall edits to user guide
- Fixed titles of index files for release notes and user guide
- Added links to SDC, A-B configuration guides and logging, tracing
and monitoring install/validation docs
Change-Id: I9a0e1e0a2c12b20400eec5a5642f7c5de2dbd7bf
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
Change-Id: I6a7a8495deaa32ec053580396dd3c080fa767f99
Signed-off-by: Stephen Wong <stephen.kf.wong@gmail.com>
|
|
|
|
- Add toplevel index to design docs on stable/fraser
- Add headers to each of the design docs
- Added usage of Clover container to install Jaeger/Prometheus
in combination in tracing and monitoring docs
- Minor edits including removing TODO/TBD
Change-Id: I1a33544a5b3d6be4147810ef9472b8d72cdec28c
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
- Overview with micro-service diagram
- Source diagram file in GIMP with layers for editing by
others
- Deploying the sample
- Using the sample
- Exposing Jaeger Tracing and Prometheus monitoring browser
interfaces
- Modifying run-time micro-service configuration including
modifying load balancer server list and adding a custom snort rule
- Uninstalling the sample
- Updated overview with service description, table and traffic
flow description, general edits
- Link to A/B configuration guide and doc index file
- Additional edits
- Diagram for Jaeger UI with SDC
Change-Id: I5d851316c05a9e1bd48c8aab5511a98116e6893d
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
(cherry picked from commit cf6910ca918b00ef5859bb060ac81cc148e6c0d1)
|
|
the SDC application" into stable/fraser
|
|
|
|
stable/fraser
|
|
- Manual cherry pick to stable/fraser of patch:
https://gerrit.opnfv.org/gerrit/#/c/55387/
Change-Id: I965326b30b2f6266f147de77c4064833856aa186
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
and on the SDC application
Change-Id: I6e1bd84a6d674a2c4c4484722b20415f5402a59c
Signed-off-by: Stephen Wong <stephen.kf.wong@gmail.com>
|
|
(Double commit from master:I89adbef74aa74071a055dcdf62aa0925e263ffe3,
gerrit 56167)
Change-Id: I45071c2d7f3e4264596b9fbe5d8e086e3842fe37
Signed-off-by: Stephen Wong <stephen.kf.wong@gmail.com>
|
|
Change-Id: Ieeaf87ab920f1862e3a1b9ac3316d387ff64954f
Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
(cherry picked from commit dae8250ed871ed871a75b5e2eb0ab41879371950)
|
|
- Fix bug with addition of content field in rule definition
that causes rules with a blank content fields to inhibit
snort from starting successfully.
- Write more of the packet data for snort alert into Redis
- Above includes X-Real-IP, X-Forwarded-For header fields
for http traffic from proxy that shows source IP
Some packet data is missing in alerts from snort.
Change-Id: I2c5c29e514d1ca9e8e5b9b3f7990afa87c6311b9
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
Change-Id: Iebfb747450cc08e930eabd36a87670236b23ffff
Signed-off-by: Yujun Zhang <zhang.yujunz@zte.com.cn>
(cherry picked from commit 8d3f6673e08d6b8c02f604791c6e42a399dc660
|
|
|
|
|
|
`BRANCH` is no longer required since we copy source code from working directory
instead of remote git repository.
Change-Id: I44776538a9efbca72e8d165e7790603cdafbe395
Signed-off-by: Yujun Zhang <zhang.yujunz@zte.com.cn>
|
|
- Exposed the 'content' field in the GRPC server AddRules method
- Allows the 'MALWARE-CNC User-Agent ASafaWeb Scan' signature
in the community rules to be copied to local rules
- Above ensures more deterministic alerts by snort each time
the signature is hit
- Added here to support the SDC configuration guide, which details
how to add this scan rule via GRPC client script
Change-Id: I6945c1e500075444134543bb9eb6003a03f1d5cc
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
- Added pip grpcio and argparse packages to docker build
- Allows service (nginx/snort) client sample scripts to be
executed using the Clover container without having to clone
the repo
Change-Id: Ifeda6d58a9a381cb80372255f41ad703a089ea4b
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
|
|
Change-Id: Ibfe0002daff58d30e7fffbb8828d8853a7e963a6
Signed-off-by: Yujun Zhang <zhang.yujunz@zte.com.cn>
(cherry picked from commit f119c6b855e4b6709b5cbf44b46d6046841108ea)
|
|
- Added deploy/clean scripts for use in Clover container
- Deployment of entire SDC scenario
- Deployment includes istio install for manual sidecar injection
without TLS authentication (deploy.sh)
- Added Jaeger tracing and Prometheus monitoring install (view.sh)
- Exposes NodePort for monitoring/tracing to access UIs outside
of cluster
- Clean.sh attempts to remove all of the above
Change-Id: Id9548a77d71465a814a6e0cb1cbdf02d37235590
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
|
|
Pipfile.lock ensures a consistent environment
Change-Id: Id2e544c77a67ce8fa010fba9c357735496f62a26
Signed-off-by: Yujun Zhang <zhang.yujunz@zte.com.cn>
(cherry picked from commit 446feb887795ac6250c630f8e1e751f2ca7df596)
|
|
Change-Id: Icbfe547697a8d879f4af8d9f9fbde2211b63129c
Signed-off-by: Yujun Zhang <zhang.yujunz@zte.com.cn>
(cherry picked from commit 406b5d7a74569510aa687882af98024d0e74bc7a)
|
|
Change-Id: I9539985b01d425e3e0350291a715a44e128c6075
Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
|
|
- install dependent deb/pip packages
- install basic tools istioctl, kubectl
- install clover source code
- build/upload docker image script
- update requirements.txt
- update module import path
- To use this image use need setup kube-config file.
e.g. `docker run -v /root/config:/root/.kube/config -it clover bash`
Change-Id: I91044bb99ce8e2b785ef03212d961a97b3d42233
Signed-off-by: QiLiang <liangqi1@huawei.com>
(cherry picked from commit c68b7b8380ea8d2ac4da6b4739c6b8e157bb952b)
|
|
|
|
|
|
|
|
- Use a community yaml for redis in k8s as simple data store
- Redis can be used for tracing and also by the snort-ids
to store alerts that can be processed by other services
- If flannel is used, the redis CLI can be accessed on the
host OS with redis-cli -h <flannel ip>
- Within the k8s cluster, the redis service can be accessed with
DNS using name 'redis'
- The same yaml for redis is also included in toplevel manifest for SDC
scenario. Included here if intention is to use separately (tracing
only)
Change-Id: Ibad283a4cc8938fe01f5de6b7743bdb5511be3af
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
(cherry picked from commit 66cc1be27b7fbb27c01a726663e42608eb411672)
|
|
- Provide workaround to make nginx lb work properly
- nginx_client sample can modify default load balancing
from three to two servers at runtime
- Ensure port 9180 is used for default deploy for lb and
servers
- Modify render_yaml to specify deploy_name so that
clover-server1, 2, 3 can be used for default lb config
- Ensure proxy template is aligned to lb to allow the
source IP from originating host to be propagated to final
destination
- Fix default nginx proxy server_name to 'proxy-access-control'
and change default proxy destination to 'http-lb'
- Split lb service_type to 'lbv1' and 'lbv2' to provide an example
of how to modify the run-time configuration of the load balancer
after deployment - modify http-lb-v2 to use clover-server4/5 instead
of the defualt clover-server1/2/3 - modify http-lb-v1 to use
clover-server1/2 instead of 1/2/3
- Aligned pod IP retrival method with nginx_client.py
Change-Id: I73fa60a69c93ae1e82a477ef6283c00f67a21360
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
(cherry picked from commit 5e213108dfade163a85cff9b9156de9bd2c18887)
|
|
- Modified snort-ids alert process to use k8s DNS name
'proxy-access-control' to align with SDC scenario naming
- Added default port 50054 to the manifest yaml template and
rendering script for communication with proxy-access-control
Change-Id: Ib04ee75e5d8ea9921b16b3b4469bed87b1cd2018
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
(cherry picked from commit 30d36864d491d41fcb4700b5363b68086e239e5a)
|
|
- Added missing k8s manifest yaml files for overall service delivery
controller scenario - cannot be deployed coherently without this manifest
- One file for private docker registry and one for opnfv
public registry
- Outlined in JIRA ticket CLOVER-16 and validated per
description
- Includes ingress rule, community redis pod/service and deployments
for http-lb (v1/v2), snort-ids, proxy-access-controller,
and clover-server1-5
- All above pod/deployment naming matches default container
configuration
- Tested with istio manual injection
Change-Id: Ia03782b38020d744ab00c99adbf4832d15bbd9f3
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
(cherry picked from commit 7381d8f19074c2d1bff6982d096d2c23c599172b)
|
|
orchestration/kube_client, and tools/clover_validate_rr"
|
|
orchestration/kube_client, and tools/clover_validate_rr
Add an 'orchestration' directory. Please note that
'orchestration' does NOT mean Clover does any orchestration ---
similar to how Clover doesn't by itself implement tracing or
logging, orchestration is a directory for code related to Docker
orchestration client --- such as k8s client
kube_client utilizes the Kubernetes python client (a dependency)
to perform tasks against Kubernetes API server. For this commit,
it is only tested for weighted route rule verification, it does
three tasks:
(1) get a list of pods under a namespace --- pod dictionary now
only contains pod name and label dictionary: used to match
pod name with the node name in traces from OpenTracing
(2) check to see if a particular pod is up in a particular
namespace: used to check if Istio pods are running in
istio-system namespace
(3) check if a container exists in a list of pods under a
namespace: used to check if application pods have
istio-proxy container running
route_rule directly invokes istioctl as there isn't any Istio
Python client yet. Currently it reads and parses routerules
from Istio, and validates if a particular trace result matches
the routerules
Finally, a sample tool clover_validate_rr is provided. This
tool assumes a previous test has been ran (with an id with
both the route-rule-under-test and corresponding traces are
stored --- currently the assumption is tests were ran with
redis-master running on system). The tool can be invoked:
python clover_validate_rr.py -t <test-id> -s <service name>
where test-id is the ID of the test (most likely uuid) and
service name is the name of the service running in the
Kubernetes cluster upon which test traces should be fetched
against
Change-Id: Ic8ab6efc23c71ac4643bee796ef986a86f6fc7dd
Signed-off-by: Stephen Wong <stephen.kf.wong@gmail.com>
|
|
|
|
- Initial commit to show potential structure of a sample service
- This wil be part of a larger sample application currently dubbed
Service Delivery Controller
- Docker container needs to be built and employs open-source Linux packages
- Service is deployable in Istio service mesh using provided yaml
- Control snort daemon and add custom rules with GRPC messaging
- Process snort alerts actively and send to redis and upstream service
mesh components
- Integrates a web server for better HTTP signature detection
- Improved build script for CI with variables
- Render k8s yaml snort manifest dynamically with command
line options
- Improve snort_client sample script for runtime modifications
including passing args on CLI, error checking
- Update nginx proxy interface
- Added logging to snort server and alert process
Change-Id: Ic56f9fcd9ed21f64b84b85ac8ee280d69af7b7c9
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
|
|
|
|
|
|
- Proxy allows ingress traffic to be sent to another element in
service mesh
- Mirroring is also in the default configuration
- Default configuration is to proxy to a clover-server and mirror
to snort-ids
- A location_path (URI in HTTP requests) can be reconfigured to
restrict proxing; default to '/'
- A proxy_path can be reconfigured to specify an alternate destination
- A mirror path can be reconfigured to specify where traffic
will be spanned
- The default server_port (listen port) for the proxy is 9180 but can be
reconfigured
- The default server_name is http-proxy but can be reconfigured
- Reconfiguration is done over GRPC with jinja2 template for nginx
- Currently snort ids sends alerts to proxy with stub code in GRPC
- Refactored the code to have a nginx base with subservices
- Proxy, Load Balancer (lb), and Server can share code - mainly GRPC
server
- Nginx subservices have separate docker builds
- Improved build scripts for CI
- Render yaml manifests dynamically
- Improve nginx_client for runtime modifications (but not really
useful yet)
Change-Id: Icbff6890021bcc8a8da4690c9261205d6e1ca43a
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
- Temporary run functest testcase after all clover env setup.
- TODO: Use jenkins to trigger functest job.
Change-Id: I5f620496d747c4d742c7bbf8bb825616f8c69499
Signed-off-by: QiLiang <liangqi1@huawei.com>
|
|
- Uses REST interface to obtain traces for services from Jaeger
- Discover services availabe in tracing
- Works only with Jaeger at the moment (not zipkin)
- Optional Redis interface added to store traces per test
- Install doc and validation script added for Jaeger
- Renamed doc to docs
Change-Id: I420137c818df290ecd40aa8d318c6961c511a947
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
- install prometheus
- validate the installation
- add prometheus query function
- TODO: test collecting telemetry data from istio
JIRA: CLOVER-7
Change-Id: I983be2db78c8c5c20c0acee9ae81e891884e07fb
Signed-off-by: QiLiang <liangqi1@huawei.com>
|