+.. This work is licensed under a Creative Commons Attribution 4.0 International
+.. License.
+.. (c) OPNFV, Arm Limited.
+Container4NFV Openwrt Demo Deployment on Arm Server
+This document gives a brief introduction on how to deploy openwrt services with multiple networking interfaces on Arm platform.
+.. _sriov_cni:
+.. _Flannel:
+.. _Multus:
+.. _cni:
+.. _kubeadm:
+.. _openwrt:
+The OpenWrt Project is a Linux operating system targeting embedded devices.
+Also it is a famouse open source router project.
+We use it as a demo to show how to deploy an open source vCPE in Kubernetes.
+For Lan port, we configured flannel cni for it. And for Wan port, we configured sriov cni for it.
+For demo purpose, I suggest that we use Kubeadm to deploy a Kubernetes cluster firstly.
+Cluster Info
+In this case, we deploy master and slave as one node.
+Suppose it to be:
+In, 2 NIC as required.
+Suppose it to be: eth0, eth1. eth0 is used to be controle plane, and eth1 is used to be data plane.
+Deploy Kubernetes
+Please see link( as reference.
+Creat CRD
+Please make sure that CRD was added for Kubernetes cluster.
+Here we name it as crdnetwork.yaml:
+ apiVersion:
+ kind: CustomResourceDefinition
+ metadata:
+ # name must match the spec fields below, and be in the form: <plural>.<group>
+ name:
+ spec:
+ # group name to use for REST API: /apis/<group>/<version>
+ group:
+ # version name to use for REST API: /apis/<group>/<version>
+ version: v1
+ # either Namespaced or Cluster
+ scope: Namespaced
+ names:
+ # plural name to be used in the URL: /apis/<group>/<version>/<plural>
+ plural: networks
+ # singular name to be used as an alias on the CLI and for display
+ singular: network
+ # kind is normally the CamelCased singular type. Your resource manifests use this.
+ kind: Network
+ # shortNames allow shorter string to match your resource on the CLI
+ shortNames:
+ - net
+ kubectl create -f crdnetwork.yaml
+Create Flannel-network for Control Plane
+Create flannel network as control plane.
+Here we name it as flannel-network.yaml:
+ apiVersion: ""
+ kind: Network
+ metadata:
+ name: flannel-conf
+ plugin: flannel
+ args: '[
+ {
+ "masterplugin": true,
+ "delegate": {
+ "isDefaultGateway": true
+ }
+ }
+ ]'
+ kubectl create -f flannel-network.yaml
+Create Sriov-network for Data Plane
+Create sriov network with PF mode as data plane.
+Here we name it as sriov-network.yaml:
+ apiVersion: ""
+ kind: Network
+ metadata:
+ name: sriov-conf
+ plugin: sriov
+ args: '[
+ {
+ "master": "eth1",
+ "pfOnly": true,
+ "ipam": {
+ "type": "dhcp",
+ }
+ }
+ ]'
+ kubectl create -f sriov-network.yaml
+CNI Installation
+.. _CNI:
+Firstly, we should deploy all CNI plugins. The build process is following:
+ git clone
+ cd plugins
+ ./
+ cp bin/* /opt/cni/bin
+.. _Multus:
+To deploy control plane and data plane interfaces, besides the Flannel CNI and SRIOV CNI,
+we need to deploy the Multus_. The build process of it is as:
+ git clone
+ cd multus-cni
+ ./build
+ cp bin/multus /opt/cni/bin
+To use the Multus_ CNI,
+we should put the Multus CNI binary to /opt/cni/bin/ where the Flannel CNI and SRIOV
+CNIs are put.
+.. _SRIOV:
+The build process of it is as:
+ git clone
+ cd sriov-cni
+ ./build
+ cp bin/* /opt/cni/bin
+We also need to enable DHCP client for Wan port.
+So we should enable dhcp cni for it.
+ /opt/cni/bin/dhcp daemon &
+CNI Configuration
+The following multus CNI configuration is located in /etc/cni/net.d/, here we name it
+as multus-cni.conf:
+ {
+ "name": "minion-cni-network",
+ "type": "multus",
+ "kubeconfig": "/etc/kubernetes/admin.conf",
+ "delegates": [{
+ "type": "flannel",
+ "masterplugin": true,
+ "delegate": {
+ "isDefaultGateway": true
+ }
+ }]
+ }
+ step1, remove all files in /etc/cni/net.d/
+ rm /etc/cni/net.d/* -rf
+ step2, copy /etc/kubernetes/admin.conf into each nodes.
+ step3, copy multus-cni.conf into /etc/cni/net.d/
+ step4, restart kubelet
+ systemctl restart kubelet
+Configuring Pod with Control Plane and Data Plane
+1, Save the below following YAML to openwrt-vpn-multus.yaml.
+In this case flannle-conf network object act as the primary network.
+ apiVersion: v1
+ kind: ReplicationController
+ metadata:
+ name: openwrtvpn1
+ spec:
+ replicas: 1
+ template:
+ metadata:
+ name: openwrtvpn1
+ labels:
+ app: openwrtvpn1
+ annotations:
+ networks: '[
+ { "name": "flannel-conf" },
+ { "name": "sriov-conf" }
+ ]'
+ spec:
+ containers:
+ - name: openwrtvpn1
+ image: "younglook/openwrt-demo:arm64"
+ imagePullPolicy: "IfNotPresent"
+ command: ["/sbin/init"]
+ securityContext:
+ capabilities:
+ add:
+ stdin: true
+ tty: true
+ ports:
+ - containerPort: 80
+ - containerPort: 4500
+ - containerPort: 500
+ ---
+ apiVersion: v1
+ kind: Service
+ metadata:
+ name: openwrtvpn1
+ spec: # specification of the pod's contents
+ type: NodePort
+ selector:
+ app: openwrtvpn1
+ ports: [
+ {
+ "name": "floatingu",
+ "protocol": "UDP",
+ "port": 4500,
+ "targetPort": 4500
+ },
+ {
+ "name": "actualu",
+ "protocol": "UDP",
+ "port": 500,
+ "targetPort": 500
+ },
+ {
+ "name": "web",
+ "protocol": "TCP",
+ "port": 80,
+ "targetPort": 80
+ },
+ ]
+2, Create Pod
+ command:
+ kubectl create -f openwrt-vpn-multus.yaml
+3, Get the details of the running pod from the master
+ # kubectl get pods
+ openwrtvpn1 1/1 Running 0 30s
+Verifying Pod Network
+ # kubectl exec openwrtvpn1 -- ip a
+ 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
+ link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+ inet scope host lo
+ valid_lft forever preferred_lft forever
+ inet6 ::1/128 scope host
+ valid_lft forever preferred_lft forever
+ 3: eth0@if124: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1450 qdisc noqueue
+ link/ether 0a:58:0a:e9:40:2a brd ff:ff:ff:ff:ff:ff
+ inet scope global eth0
+ valid_lft forever preferred_lft forever
+ inet6 fe80::8e6:32ff:fed3:7645/64 scope link
+ valid_lft forever preferred_lft forever
+ 4: net0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
+ link/ether 52:54:00:d4:d2:e5 brd ff:ff:ff:ff:ff:ff
+ inet scope global net0
+ valid_lft forever preferred_lft forever
+ inet6 fe80::5054:ff:fed4:d2e5/64 scope link
+ valid_lft forever preferred_lft forever
+Bin Lu:
+ARM64 Hardware Platform Awareness
+This document describes Arm64 specific features for HPA
+1. ARM64 ELF hwcaps
+The majority of hwcaps are intended to indicate the presence of features
+which are described by architected ID registers inaccessible to
+userspace code at EL0. These hwcaps are defined in terms of ID register
+fields, and should be interpreted with reference to the definition of
+these fields in the ARM Architecture Reference Manual.
+ Floating-point.
+ Functionality implied by ID_AA64PFR0_EL1.FP == 0b0000.
+ Advanced SIMD.
+ Functionality implied by ID_AA64PFR0_EL1.AdvSIMD == 0b0000.
+ The generic timer is configured to generate events at a frequency of
+ approximately 100KHz.
+ Advanced Encryption Standard.
+ Functionality implied by ID_AA64ISAR1_EL1.AES == 0b0001.
+ Polynomial multiply long (vector)
+ Functionality implied by ID_AA64ISAR1_EL1.AES == 0b0010.
+ SHA1 hash update accelerator.
+ Functionality implied by ID_AA64ISAR0_EL1.SHA1 == 0b0001.
+ SHA2 hash update accelerator.
+ Functionality implied by ID_AA64ISAR0_EL1.SHA2 == 0b0001.
+ CRC32 instruction.
+ Functionality implied by ID_AA64ISAR0_EL1.CRC32 == 0b0001.
+ Atomics instruction.
+ Functionality implied by ID_AA64ISAR0_EL1.Atomic == 0b0010.
+ Instructions to convert between half-precision and single-precision, and between half-precision and double-precision.
+ Functionality implied by ID_AA64PFR0_EL1.FP == 0b0001.
+ Indicates whether the Advanced SIMD and Floating-point extension supports half-precision floating-point conversion operations.
+ Functionality implied by ID_AA64PFR0_EL1.AdvSIMD == 0b0001.
+ EL0 access to certain ID registers is available, to the extent
+ described by Documentation/arm64/cpu-feature-registers.txt.
+ These ID registers may imply the availability of features.
+ Indicates whether Rounding Double Multiply (RDM) instructions are implemented for Advanced SIMD.
+ Functionality implied by ID_AA64ISAR0_EL1.RDM == 0b0001.
+ ARMv8.3 adds support for a new instruction to perform conversion
+ from double precision floating point to integer to match the
+ architected behaviour of the equivalent Javascript conversion.
+ Functionality implied by ID_AA64ISAR1_EL1.JSCVT == 0b0001.
+ ARM v8.3 adds support for new instructions to aid floating-point
+ multiplication and addition of complex numbers.
+ Functionality implied by ID_AA64ISAR1_EL1.FCMA == 0b0001.
+ ARMv8.3 adds new instructions to support Release Consistent
+ processor consistent (RCpc) model, which is weaker than the
+ RCsc model.
+ Functionality implied by ID_AA64ISAR1_EL1.LRCPC == 0b0001.
+ The ARMv8.2-DCPoP feature introduces persistent memory support to the
+ architecture, by defining a point of persistence in the memory
+ hierarchy, and a corresponding cache maintenance operation, DC CVAP.
+ Functionality implied by ID_AA64ISAR1_EL1.DPB == 0b0001.
+ Secure Hash Standard3 (SHA3)
+ Functionality implied by ID_AA64ISAR0_EL1.SHA3 == 0b0001.
+ Commercial Cryptography Scheme.
+ Functionality implied by ID_AA64ISAR0_EL1.SM3 == 0b0001.
+ Commercial Cryptography Scheme.
+ Functionality implied by ID_AA64ISAR0_EL1.SM4 == 0b0001.
+ Performing dot product of 8bit elements in each 32bit element
+ of two vectors and accumulating the result into a third vector.
+ Functionality implied by ID_AA64ISAR0_EL1.DP == 0b0001.
+ Secure Hash Standard
+ Functionality implied by ID_AA64ISAR0_EL1.SHA2 == 0b0002.
+ Scalable Vector Extension (SVE) is a vector extension for
+ AArch64 execution mode for the A64 instruction set of the Armv8 architecture.
+ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001.
+2. ARM64 Memory Partitioning and Monitoring (MPAM)
+Armv8.4-A adds a feature called Memory Partitioning and Monitoring (MPAM). This has several uses.
+Some system designs require running multiple applications or multiple virtual machines concurrently on a system
+where the memory system is shared and where the performance of some applications or some virtual machines must
+be only minimally affected by other applications or virtual machines. These scenarios are common in enterprise
+networking and server systems.
+This proposal addresses these scenarios with two approaches that work together under software control:
+- Memory/Cache system resource partitioning
+- Performance resource monitoring
+3. Arm Power State Coordination Interface (PSCI)
+PSCI has the following intended uses:
+- Provides a generic interface that supervisory software can use to
+manage power in the following situations:
+- Core idle management.
+- Dynamic addition of cores to and removal of cores from the
+system, often referred to as hotplug.
+- Secondary core boot.
+- Moving trusted OS context from one core to another.
+- System shutdown and reset.
+- Provides an interface that supervisory software can use in conjunction
+with Firmware Table (FDT and ACPI) descriptions to support the
+generalization of power management code.
+4. Arm TrustZone
+Arm TrustZone technology provides system-wide hardware isolation for trusted software.
+The family of TrustZone technologies can be integrated into any Arm Cortex-A core,
+supporting high-performance applications processors, with TrustZone technology for Cortex-A processors.
+5. Arm CPU Info Detection
+Computing resources should be collected by NFV COE, such as:
+- Arm specific:
+ CPU Part: indicates the primary part number.
+ For example:
+ 0xD09 Cortex-A73 processor.
+ CPU Architecture: indicates the architecture code.
+ For example:
+ 0xF Defined by CPUID scheme.
+ CPU Variant: indicates the variant number of the processor.
+ This is the major revision number n in the rn part of
+ the rnpn description of the product revision status.
+ CPU Implementer: indicates the implementer code.
+ For example:
+ 0x41 ASCII character 'A' - implementer is ARM Limited.
+ CPU Revision: indicates the minor revision number of the processor.
+ This is the minor revision number n in the pn part of
+ the rnpn description of the product revision status.
@@ -9,3 +9,11 @@ Container4NFV E release Notes
2. Container architecture options
3. Joid could support Kubernetes
4. Using vagrant tool to setup an env with DPDK enabled.
+Container4NFV F release Notes
+1. Enable Multus in Kubernetes
+2. Enable SR-IOV in Kubernetes
+3. Support ARM platform
diff --git a/docs/release/userguide/clearwater-project.rst b/docs/release/userguide/clearwater-project.rst
index 6a5ac60..38f1c7a 100644
--- a/docs/release/userguide/clearwater-project.rst
+++ b/docs/release/userguide/clearwater-project.rst
@@ -1,24 +1,25 @@
Clearwater implementation for OPNFV
CONTAINER4NFV setup a Kubernetes cluster on VMs running with Vagrant and kubeadm.
kubeadm assumes you have a set of machines (virtual or bare metal) that are up and running. In this way we can get a cluster with one master node and 2 workers (default). If you want to increase the number of workers nodes, please check the Vagrantfile inside the project.
-Is Clearwater suitable for Network Functions Virtualization?
+*Is Clearwater suitable for Network Functions Virtualization?*
Network Functions Virtualization or NFV is, without any doubt, the hottest topic in the telco network space right now. It’s an approach to building telco networks that moves away from proprietary boxes wherever possible to use software components running on industry-standard virtualized IT infrastructures. Over time, many telcos expect to run all their network functions operating at Layer 2 and above in an NFV environment, including IMS. Since Clearwater was designed from the ground up to run in virtualized environments and take full advantage of the flexibility of the Cloud, it is extremely well suited for NFV. Almost all of the ongoing trials of Clearwater with major network operators are closely associated with NFV-related initiatives.
About Clearwater
-[Clearwater]( follows [IMS]( architectural principles and supports all of the key standardized interfaces expected of an IMS core network. But unlike traditional implementations of IMS, Clearwater was designed from the ground up for the Cloud. By incorporating design patterns and open source software components that have been proven in many global Web applications, Clearwater achieves an unprecedented combination of massive scalability and exceptional cost-effectiveness.
+`Clearwater <>`_ follows `IMS <>`_ architectural principles and supports all of the key standardized interfaces expected of an IMS core network. But unlike traditional implementations of IMS, Clearwater was designed from the ground up for the Cloud. By incorporating design patterns and open source software components that have been proven in many global Web applications, Clearwater achieves an unprecedented combination of massive scalability and exceptional cost-effectiveness.
Clearwater provides SIP-based call control for voice and video communications and for SIP-based messaging applications. You can use Clearwater as a standalone solution for mass-market VoIP services, relying on its built-in set of basic calling features and standalone susbscriber database, or you can deploy Clearwater as an IMS core in conjunction with other elements such as Telephony Application Servers and a Home Subscriber Server.
-Clearwater was designed from the ground up to be optimized for deployment in virtualized and cloud environments. It leans heavily on established design patterns for building and deploying massively scalable web applications, adapting these design patterns to fit the constraints of SIP and IMS. [The Clearwater architecture]( therefore has some similarities to the traditional IMS architecture but is not identical.
+Clearwater was designed from the ground up to be optimized for deployment in virtualized and cloud environments. It leans heavily on established design patterns for building and deploying massively scalable web applications, adapting these design patterns to fit the constraints of SIP and IMS. `The Clearwater architecture <>`_ therefore has some similarities to the traditional IMS architecture but is not identical.
- All components are horizontally scalable using simple, stateless load-balancing.
- All long lived state is stored on dedicated “Vellum” nodes which make use of cloud-optimized storage technologies such as Cassandra. No long lived state is stored on other production nodes, making it quick and easy to dynamically scale the clusters and minimizing the impact if a node is lost.
@@ -27,8 +28,163 @@ Clearwater was designed from the ground up to be optimized for deployment in vir
Clearwater Architecture
.. image:: img/clearwater_architecture.png
:width: 800px
:alt: Clearwater Architecture
+This repository contains instructions and resources for deploying Metaswitch's Clearwater project with Kubernetes.
+If you need more information about Clearwater project please checkout our
+or the `official repository <>`_.
+Exposed Services
+The deployment exposes:
+ - the Ellis web UI on port 30080 for self-provisioning.
+ - STUN/TURN on port 3478 for media relay.
+ - SIP on port 5060 for service.
+ - SIP/WebSocket on port 5062 for service.
+SIP devices can register with bono.:5060 and the Ellis provisioning interface can be accessed at port 30080.
+Install Docker and Vagrant
+CONTAINER4NFV uses ```` to install all resource used by this repository.
+ container4nfv/src/vagrant# ./ -b libvirt
+Deploy Clearwater with kubeadm
+Check ``clearwater/`` for details about k8s deployment.
+ container4nfv/src/vagrant/kubeadm_clearwater# ./
+ container4nfv/src/vagrant# ./
+Making calls through Clearwater
+Connect to Ellis service
+It's important to connect to Ellis to generate the SIP username, password and domain we will use with the SIP client.
+Use your <master ip addres> + port 30080 (k8s default port). If you are not which Ellis's url is, please check inside your master node.
+ kubeadm_clearwater# vagrant ssh master
+ master@vagrant# ifconfig eth0 | grep "inet addr" | cut -d ':' -f 2 | cut -d ' ' -f 1
+In your browser connect to `<master_ip>:30080` (ex.
+After that, signup and generate two users. The signup key is **secret**. Ellis will automatically allocate you a new number and display
+its password to you. Remember this password as it will only be displayed once.
+From now on, we will use <username> to refer to the SIP username (e.g. 6505551234) and <password> to refer to the password.
+Config and install two SIP clients
+We'll use both Twinkle and Blink SIP client. , since we are going to try this out inside a LAN network.
+This is, of course, only a local test inside a LAN network. Configure the clients may be a little bit trickie, so we add some screenshots:
+Blink setup
+1. Add <username> and <password>.
+.. image:: img/blink01.png
+ :width: 800px
+ :alt: Blink SIP client
+2. Configure a proxy to k8s.
+.. image:: img/blink02.png
+ :width: 800px
+ :alt: Blink SIP client
+3. Configure the network to use TCP only.
+.. image:: img/blink03.png
+ :width: 800px
+ :alt: Blink SIP client
+.. image:: img/blink04.png
+ :width: 800px
+ :alt: Blink SIP client
+Twinkle setup
+1. Configure a proxy to k8s.
+.. image:: img/twinkle01.png
+ :width: 800px
+ :alt: Twinkle SIP client
+2. Add <username> and <password>.
+.. image:: img/twinkle02.png
+ :width: 800px
+ :alt: Twinkle SIP client
+3. Configure the network to use TCP only.
+.. image:: img/twinkle03.png
+ :width: 800px
+ :alt: Twinkle SIP client
+Make the call
+.. image:: img/call.png
+ :width: 800px
+ :alt: Call
+ Snort
+ What is Snort?
+`Snort <>`_. is an open source network intrusion prevention system, capable
+of performing real-time traffic analysis and packet logging on IP
+networks. It can perform protocol analysis, content searching/matching,
+and can be used to detect a variety of attacks and probes, such as buffer
+overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting
+attempts, and much more.
+ What can I do with Snort?
+Snort has three primary uses: It can be used as a straight packet sniffer
+like tcpdump, a packet logger (useful for network traffic debugging, etc),
+or as a full blown network intrusion prevention system.
+ How Snort works?
+Snort works with rules. Rules are a different methodology for performing
+detection, which bring the advantage of 0-day detection to the table.
+Unlike signatures, rules are based on detecting the actual vulnerability,
+not an exploit or a unique piece of data. Developing a rule requires an
+acute understanding of how the vulnerability actually works.