From 82c9058898b1d5eb3155d7c969176533f509ffc5 Mon Sep 17 00:00:00 2001 From: earrage Date: Fri, 9 Nov 2018 13:30:29 -0800 Subject: Modify SDC guide for snort/lb config change from CLI - Convert instructions on how to modify runtime config of snort-ids and http-lb services using cloverctl rather than using python gRPC client script - Remove A-B validation from the SDC guide and from the config guide index, as it was not updated from Fraser to Gambia - Add a yaml to add icmp ids rule Change-Id: I0c5391d9eac0130586d4ab25543a3d308c2ed558 Signed-off-by: earrage --- .../cloverctl/src/cloverctl/yaml/idsrule_icmp.yaml | 9 ++++ docs/release/configguide/index.rst | 1 - docs/release/configguide/sdc_config_guide.rst | 63 ++++++++-------------- 3 files changed, 32 insertions(+), 41 deletions(-) create mode 100644 clover/cloverctl/src/cloverctl/yaml/idsrule_icmp.yaml diff --git a/clover/cloverctl/src/cloverctl/yaml/idsrule_icmp.yaml b/clover/cloverctl/src/cloverctl/yaml/idsrule_icmp.yaml new file mode 100644 index 0000000..44ece96 --- /dev/null +++ b/clover/cloverctl/src/cloverctl/yaml/idsrule_icmp.yaml @@ -0,0 +1,9 @@ +sid: "10000001" +protocol: icmp +dest_port: any +dest_ip: $HOME_NET +src_port: any +src_ip: any +msg: icmp_test +rev: "001" +content: '' diff --git a/docs/release/configguide/index.rst b/docs/release/configguide/index.rst index 41c1eca..d0c446e 100644 --- a/docs/release/configguide/index.rst +++ b/docs/release/configguide/index.rst @@ -14,7 +14,6 @@ Clover Configuration Guide controller_services_config_guide.rst sdc_config_guide.rst - a_b_config_guide.rst jmeter_config_guide.rst visibility_config_guide.rst modsecurity_config_guide.rst diff --git a/docs/release/configguide/sdc_config_guide.rst b/docs/release/configguide/sdc_config_guide.rst index 7b7e77a..a50795f 100644 --- a/docs/release/configguide/sdc_config_guide.rst +++ b/docs/release/configguide/sdc_config_guide.rst @@ -409,10 +409,9 @@ Modifying the run-time configuration of services ================================================ The following control-plane actions can be invoked via GRPC messaging from a controlling agent. -For this example, it is conducted from the host OS of a Kubernetes cluster node. - -**Note, the subsequent instructions assume the flannel network CNI plugin is installed. Other -Kubernetes networking plugins may work but have not been validated.** +For this example, it is conducted from the host OS of a Kubernetes cluster node using Clover +system services. This requires **clover-controller** and **cloverctl** CLI be deployed. See +instructions at :ref:`controller_services_controller`. .. _sdc_modify_lb: @@ -421,21 +420,16 @@ Modifying the http-lb server list By default, both versions of the load balancers send incoming HTTP requests to **clover-server1/2/3** in round-robin fashion. To have the version 2 load balancer -(**http-lb-v2**) send its traffic to **clover-server4/5** instead, issue the following command: +(**http-lb-v2**) send its traffic to **clover-server4/5** instead, issue the following command +from the **cloverctl** CLI:: -.. code-block:: bash + $ cloverctl set lb -f lbv2.yaml - $ sudo docker run --rm \ - -v ~/.kube/config:/root/.kube/config \ - opnfv/clover \ - /bin/bash -c 'python /home/opnfv/repos/clover/samples/services/nginx/docker/grpc/nginx_client.py \ - --service_type=lbv2 --service_name=http-lb-v2' +The ``lbv2.yaml`` is available from the yaml directory relative to the **cloverctl** binary. If the command executes successfully, the return message should appear as below:: - Pod IP: 10.244.0.184 Modified nginx config - Modification complete If several more HTTP GET requests are subsequently sent to the ingress, the Jaeger UI should begin to display requests flowing to **clover-server4/5** from **http-lb-v2**. The **http-lb-v1** @@ -464,40 +458,35 @@ for the alerts. Drilling down into the trace will show a GPRC message from snort $ wget -U 'asafaweb.com' http://10.244.0.1:32410/ Or alternatively with curl, issue this command to trigger the alert: - +: .. code-block:: bash $ curl -A 'asafaweb.com' http://10.244.0.1:32410/ The community rule can be copied to local rules in order to ensure an alert is generated -each time the HTTP GET request is observed by snort using the following command. +each time the HTTP GET request is observed by snort using the following commands from +the **cloverctl** CLI:: -.. code-block:: bash + $ cloverctl create idsrules -f idsrule_scan.yaml + $ cloverctl stop ids + $ cloverctl start ids - $ sudo docker run --rm \ - -v ~/.kube/config:/root/.kube/config \ - opnfv/clover \ - /bin/bash -c 'python /home/opnfv/repos/clover/samples/services/snort_ids/docker/grpc/snort_client.py \ - --cmd=addscan --service_name=snort-ids' - -Successful completion of the above command will yield output similar to the following:: +The ``idsrule_scan.yaml`` is available from the yaml directory relative to the **cloverctl** +binary. Successful completion of the above commands will yield output similar to the following:: - Pod IP: 10.244.0.183 - Stopped Snort on pid: 34, Cleared Snort logs - Started Snort on pid: 91 Added to local rules + Stopped Snort on pid: 48, Cleared Snort logs + Started Snort on pid: 155 -To add an ICMP rule to snort service, use the following command: +To add an ICMP rule to snort service, use the following command:: -.. code-block:: bash + $ cloverctl create idsrules -f idsrule_icmp.yaml + $ cloverctl stop ids + $ cloverctl start ids - $ sudo docker run --rm \ - -v ~/.kube/config:/root/.kube/config \ - opnfv/clover \ - /bin/bash -c 'python /home/opnfv/repos/clover/samples/services/snort_ids/docker/grpc/snort_client.py \ - --cmd=addicmp --service_name=snort-ids' +The ``idsrule_icmp.yaml`` is available from the yaml directory relative to the **cloverctl** -Successful execution of the above command will trigger alerts whenever ICMP packets are observed +Successful execution of the above commands will trigger alerts whenever ICMP packets are observed by the snort service. An alert can be generated by pinging the snort service using the flannel IP address assigned to the **snort-ids** pod. The Jaeger UI can again be inspected and should display the same ``ProcessAlert`` messages flowing from the **snort-ids** to the **proxy-access-control** @@ -622,12 +611,6 @@ custom rule is ``10000001`` and is output in the above listing. To exit the Redis CLI, use the command ``exit``. -A-B Validation --------------- - -Please see the configuration guide at :ref:`a_b_config_guide` for details on -validating A-B route rules using the sample in this guide. - Uninstall from Kubernetes envionment ==================================== -- cgit 1.2.3-korg