Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
outlinetrue
Introduction

...

To add more Jenkins slave nodes, please follow the akriano jenkins guide

To setup private jenkins, please refer to the README.md under icn/ci/

...

Hostname

CPU Model

Memory

BMC 

Firmware

Storage

1GbE: NIC#, VLAN,

(Connected

extreme 480 switch)

10GbE: NIC# VLAN, Network

(Connected with IZ1 switch)

40GbE: NIC#

Jump

Intel

2xE5-2699

64GB

 1.46.9995

3TB (Sata)
180 (SSD)

IF0: VLAN 110 (DMZ)
IF1: VLAN 111 (Admin)

IF2: VLAN 112 (Private)
VLAN 114 (Management)
IF3: VLAN 113 (Storage)
VLAN 1115 (Public)


node1

Intel

2xE5-2699

64GB

1.46.9995

3TB (Sata)
180 (SSD)

IF0: VLAN 110 (DMZ)
IF1: VLAN 111 (Admin)

IF2: VLAN 112 (Private)
VLAN 114 (Management)
IF3: VLAN 113 (Storage)
VLAN 1115 (Public)


node2

Intel

2xE5-2699

64GB

1.46.9995

3TB (Sata)
180 (SSD)

IF0:  VLAN 110 (DMZ)
IF1: VLAN 111 (Admin)

IF2: VLAN 112 (Private)
VLAN 114 (Management)
IF3: VLAN 113 (Storage)
VLAN 1115 (Public)

IF4: SRIOV

Virtual deployment

Hostname

CPU Model

Memory

Storage

1GbE: NIC#, VLAN,

(Connected

extreme 480 switch)

10GbE: NIC# VLAN, Network

(Connected with IZ1 switch)

node1

Intel

2xE5-2699

64GB

3TB (Sata)
180 (SSD)

IF0: VLAN 110 (DMZ)
IF1: VLAN 111 (Admin)

IF2: VLAN 112 (Private)
VLAN 114 (Management)
IF3: VLAN 113 (Storage)
VLAN 1115 (Public)

Test Framework

All components are tested with end-to-end testing

...

  • The bpa_verifier.sh script get the MAC addresses and IP addresses of the 2 VMs provisioned by metal3, then creates a fake DHCP lease file using the IP address and MAC address information. It also creates a provisioning CR using the MAC address information
  • The script the creates an ssh secret key using the ssh keys of the test host, applies the the provisioning CR
  • The script busy loops till the KUD installation job completes or fails. If it completes successfully, it does a curl command using the authentication info of the new cluster to confirm if it was successful or not. On completing all the steps, it does a teardown where it deletes everything it created.
BPA

...

  • Virtlet VM provisioning is tested as part of the 'verify_nestedk8s' testcase. K8s is first launched with Virtlet using KuD scripts after the prerequisite packages are installed.
  • Next, BPA operator and multicloud-k8s docker images are built and BPA operator scripts including the provisioning_crd are deployed. Then, the Virtlet VM E2E script is launched which does the following:
  • It creates a new flannel network definition for assigning mac address to VMs, creates test Virtlet VM, creates a provisioning CR for the same mac address. BPA operator then provisions the Virtlet VM by initiating the KuD installer job which installs K8s in the Virtlet VM.
BPA Rest Agent

...

Rest Agent
  • Test script, e2e_test.sh, creates dummy image file, creates test JSON file, checks bpa rest agent status, issues POST, GET, and PATCH requests sequentially.
  • Next, e2e_test.sh checks uploaded MinIO image object size, and calls DELETE.
  • If the script fails at any point then verification was unsuccessful.

...

  • The SRIOV network device plugin is Kubernetes device plugin for discovering and advertising SRIOV network virtual functions (VFs) in a Kubernetes host. 
  • We first determine which hosts are SRIOV capable and install the drivers on them and run the DaemonSet and register Network attachment definition
  • On an SRIOV capable hosts, we can get the resources for the node before we run the pod. When we run the test case, there is a request for a VF from the pod, therefore the number of resources for the node is increased.
QAT 
  • KUD identify if there are QAT devices in the QAT device in the hosts and host and decide whether to deploy QAT device plugin into Kubernetes cluster.
  • The QAT device plugin discovers and advertises QAT virtual functions (VFs) to Kubernetes cluster.
  • KUD assign 1 QAT VFs VF to the Kernel workloads workloads. After the assginment finished, the Allocated resources in node description will increase.
CMK
  • CPU Manager for Kubernetes provides cpu pinning for K8s workloads. In KUD, there are two test cases for the exclusive and shared cpu pools testing.

...

  • Use Kud to setup 3 clusters (traffic sdewan-hub, edge1, edge2edge-a, edge-b)
  • Create SDEWAN CNF instance and dummy pod in edge1(using httpbin instead) in edge-a, SDEWAN CNF instance and httpbin pod in edge2edge-b
  • Configure traffic sdewan-hub as responder to provide virtual IP addresses to any authenticated party requesting for IP addresses.
  • Configure edge1 and edge2 edge-a and edge-b IPSec configuration to get the IP addresses.
  • Establish edge1 edge-a tunnel to traffic sdewan-hub, edge2 tunnel to edge-b tunnel to sdewan-hub, and hub policy for XFRM policies will automatically route traffic between edge1 and edge2edge-a and edge-b
  • Establish SNAT rule in edge1 edge-a and DNAT rule in edge2 edge-b to enable tcp connection from edge1 to edge2edge-a to edge-b's httpbin service.
  • Verify curl command is successful from edge1 edge-a dummy pod to edge2's httpbin service(using httpbin instead) to edge-b's httpbin service. The function of the curl command is to return back the ip address of the requester.

Image Added

Openness
  • Install EAA helm charts through ONAP4K8S in the edge location.
  • Install Openness simple EAA producer and simple EAA consumer through ONAP4K8S
  • Verify EAA consumer can consume the service provided by EAA producer.

...

EdgeX Foundry helm chart are installed through ONAP in the edge location. Test case ensure that all the EdgeX Framework containers are up and running

BluVal Testing

Igor D.C.

Status as of May 13th 28th 2020:

Layer

Result

Comments

Comment
Nexus

os/lynis

PASS

if disabling ICN pluginsIf libvirt or weave are installed, lynis will no longer pass. This is a problem because the virtlet ICN plugin requires libvirt.


Logs

os/vuls

FAIL:

153

141 unfixed vulnerabilities found

141 unfixed vulnerabilities.

Total: 153 (High:

33

30 Medium:

93

96 Low:27 ?:0),

1

 12/153 Fixed,

801

795 installed, 0 exploits, en: 2, ja: 0 alerts

Logs

k8s/conformance

PASS

if disabling ICN pluginsNeed to enable ICN plugins and understand reason for failures. Just the basic KUD deployment is enough to make conformance pass.


Logs

k8s/kubehunter

FAIL

PASS except:

  • Inside-a-Pod Scanning:
5 vulnerabilities

Patched system:public-info-viewer to hide /version, otherwise Cluster Remote Scanning would fail too. Need to update KUD scripts to automatically patch system:public-info-viewer.

Important links:

Steps To Implement Security Scan Requirements

Security Scan Status

  • 1 vulnerability: CAP_NET_RAW

Inside-a-Pod Scanning: 1 vulnerability: CAP_NET_RAW.

Logs

CI logs: 

The gerrit comments contains the CI log url. All the CI logs are under this folder ICN : https://jenkins.akraino.org/view/icn/job/icn-master-verify/

Latest CI logs

CD Logs:

ICN Master Baremetal Deployment Verifier

ICN Master Baremetal Virtual Deployment for Hardware verificationVerifer

ICN Master Hardware Baremetal Deployment Virtlet nested K8s VerifierVerifer

ICN SDEWAN Master Virtual Deployment VeriferEnd2End Testing

ICN Master Virtual Deployment Virtlet nested K8s Optane Hardware Baremetal Deployment Verifier

Test Dashboards

All the testing results are in logs

...