...
Describe the components of Test set up
Test Bed
Test Framework
- PCEI Deployment Tests
Described in the PCEI R4 Installation Guide
- PCEI End-to-End Validation Tests
Described in the PCEI R4 End-to-End Validation Guide
- BluVal Tests
Described in the BluVal Test section of this document.
...
For end-to-end functional verification, a simulated IoT Client was provided. Please refer to PCEI R4 End-to-End Validation Guide.
Test API description
Test APIs NOT USED (except BluVal Robot)
Akraino common tests
NOT PERFORMED
The Test inputs
Test Procedure
...
Blueprint extension tests
The Test inputs
| Test | Description | Result | Reference |
|---|---|---|---|
| EMCO Deployment | Install EMCO Orchestrator | Pass | |
| Edge Cluster Deployment | Deploy Edge K8S Clusters | Pass | PCEI R4 Installation Guide |
| EMCO UI Access | Access EMCO UI | Pass | PCEI R4 Installation Guide |
| Register Edge Cluster | Register Edge K8S Cluster with EMCO | Pass | |
| Create Service/App | Create Service/App in EMCO for Azure IoT Edge, AWS GGC and PCEI Location API App | All PASS | |
| Deploy Apps onto Edge Clusters | Deploy Azure IoT Edge, AWS GGC and PCEI Location API Apps onto Edge K8S Clusters | All PASS | |
| Verify Azure IoT Edge with IoT Client | Start IoT Client, send messages to Azure IoT Edge. Monitor IoT Edge receive and decode messages | PASS | |
| Verify AWS GGC App | Confirm AWS GGC App registers with AWS IoT Coire | PASS | |
| Verify PCEI Location API App | Confirm PCEI Location API App is running and responding to requests | PASS |
Test Procedure
PCEI R4 End-to-End Validation Guide
Expected output
All tests pass
Test Results
Refer to sections of the following documents for detailed test results:
PCEI R4 End-to-End Validation Guide
Feature Project Tests
NOT PERFORMED
The Test inputs
Test Procedure
...
BluVal Tests
The Test inputs
BluVal Test Environment setup according to:
Test Procedure
- Deploy a Test VM
- Install Docker: https://docs.docker.com/engine/install/ubuntu/
- Clone BluVal Validation Framework into the Test VM:
- Copy SUT's .kube/config file and SSH key to the Test VM
- Configure validation environment:
| Code Block | ||
|---|---|---|
| ||
cd validation
vi bluval-pcei.yaml
blueprint:
name: pcei
layers:
- os
- docker
- k8s
# Any hardware some basic tests
os: &os_pcei
-
name: ltp
what: ltp
optional: "True"
-
name: cyclictest
what: cyclictest
optional: "True"
-
name: lynis
what: lynis
optional: "False"
-
name: vuls
what: vuls
optional: "False"
docker: &docker_base
-
name: docker_bench
what: docker_bench
optional: "True"
k8s: &k8s
-
name: conformance
what: conformance
optional: "False"
-
name: etcd_ha
what: etcd_ha
optional: "True"
-
name: kube-hunter
what: kube-hunter
optional: "False"
cd /home/onaplab/validation/bluval
vi volumes.yaml
volumes:
# location of the ssh key to access the cluster
ssh_key_dir:
local: '/home/onaplab/.ssh'
target: '/root/.ssh'
# location of the k8s access files (config file, certificates, keys)
kube_config_dir:
local: '/home/onaplab/kube'
target: '/root/.kube/'
# location of the customized variables.yaml
custom_variables_file:
local: '/home/onaplab/validation/tests/variables.yaml'
target: '/opt/akraino/validation/tests/variables.yaml'
# location of the bluval-<blueprint>.yaml file
blueprint_dir:
local: '/home/onaplab/validation/bluval'
target: '/opt/akraino/validation/bluval'
# location on where to store the results on the local jumpserver
results_dir:
local: '/home/onaplab/results'
target: '/opt/akraino/results'
# location on where to store openrc file
openrc:
local: ''
target: '/root/openrc'
# parameters that will be passed to the container at each layer
layers:
# volumes mounted at all layers; volumes specific for a different layer are below
common:
- custom_variables_file
- blueprint_dir
- results_dir
hardware:
- ssh_key_dir
os:
- ssh_key_dir
networking:
- ssh_key_dir
docker:
- ssh_key_dir
k8s:
- ssh_key_dir
- kube_config_dir
k8s_networking:
- ssh_key_dir
- kube_config_dir
openstack:
- openrc
sds:
sdn:
vim:
cd /home/onaplab/validation/tests
vi variables.yaml
### Input variables cluster's master host
host: 10.121.7.147 # cluster's master host address
username: onaplab # login name to connect to cluster
password: onaplab # login password to connect to cluster
ssh_keyfile: /root/.ssh/id_rsa # Identity file for authentication
|
6. Run BluVal Robot:
| Code Block | ||
|---|---|---|
| ||
cd
bash validation/bluval/blucon.sh pcei |
7. Install LFTOOLS:
| Code Block | ||
|---|---|---|
| ||
sudo apt install python3-pip
sudo python3 -m pip install -U pip
sudo python3 -m pip install -U setuptools
sudo -H pip3 install --ignore-installed PyYAML
pip3 install lftools |
8. Push BluVal Results to Akraino Nexus
| Code Block | ||
|---|---|---|
| ||
# Create .netrc file
vi .netrc
machine nexus.akraino.org
login <LF ID>
password <Password>
# Archive log files
zip -r results.zip ./results
# Push logs to Nexus
NEXUS_PATH="/pcei/job/v2"
NEXUS_URL="https://nexus.akraino.org/"
/home/onaplab/.local/bin/lftools deploy nexus-zip $NEXUS_URL logs $NEXUS_PATH results.zip |
Expected output
Test Results
https://nexus.akraino.org/content/sites/logs/pcei/job/v2/results/
Vuls
CVEs Found:
| CVE | CVSS | URL | Exception |
|---|---|---|---|
| CVE-2016-1585 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2016-1585 | Requested by another BP |
| CVE-2017-18342 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2017-18342 | Requested by another BP |
| CVE-2017-8283 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2017-8283 | Requested by PCEI. Approved |
| CVE-2018-20839 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2018-20839 | Requested by another BP |
| CVE-2019-17041 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2019-17041 | Requested by another BP |
| CVE-2019-17042 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2019-17042 | Requested by another BP |
| CVE-2019-19814 | 9.3 | https://nvd.nist.gov/vuln/detail/CVE-2019-19814 | Requested by PCEI. Approved |
Lynis
Fixes for Lynis:
PASS_MAX_DAYS
https://askubuntu.com/questions/424216/what-is-password-aging-limits
vi /etc/login.defs
change
PASS_MAX_DAYS 1500
UNMASK 027
NOTE: changing the UNMASK value from default 022 to 027 resulted in the Lynis test suite erroring out. Exception was granted.
KRNL-6000
https://linux-audit.com/understand-and-configure-core-dumps-work-on-linux/
echo "fs.suid_dumpable=0" >> /etc/sysctl.conf
sysctl -p
sysctl -w kernel.dmesg_restrict=1
sysctl -w net.ipv4.conf.all.accept_source_route=0
K8S Conformance
Exception Requested:
Kube-Hunter
Vulnerabilities found
| ID | Status |
|---|---|
| KHV002 | Fixed |
| KHV005 | Fixed |
| KHV050 | Fixed |
| CAP_NET_RAW | Pending |
Fix for KHV002:
On SUT K8S Cluster:
| Code Block | ||
|---|---|---|
| ||
kubectl replace -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "false"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:public-info-viewer
rules:
- nonResourceURLs:
- /healthz
- /livez
- /readyz
verbs:
- get
EOF |
Fix for KHV005, KHV050
On SUT K8S Cluster:
| Code Block | ||
|---|---|---|
| ||
kubectl replace -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: default
automountServiceAccountToken: false
EOF |
Test Dashboards
Single pane view of how the test score looks like for the Blue print.
| Test Group | Total Tests | Pass | Fail |
|---|---|---|---|
| Blueprint Extension Tests | 9 | 9 | 0 |
| Vuls | 1 | 1 | 0 |
| Lynis | 1 | 1 | 0 |
| K8S Conformance | 1 | 0 | 1 |
| Kube-Hunter | 1 | 1 | 0 |
Additional Testing
None
Bottlenecks/Errata
Please refer to PCEI R4 Release Notes