Services version compatibility

composefiles/swarm-uniflow.yml

@@ -38,7 +38,7 @@ services:
       - PROXY_ENABLED=${PROXY_ENABLED:-false}
       - HTTP_PROXY=${HTTP_PROXY}
       - HTTPS_PROXY=${HTTPS_PROXY}
-      - NO_PROXY=workflow-proxy,frinx-frontend,inventory,${UNICONFIG_ZONES_LIST},unistore,uniresource
+      - NO_PROXY=workflow-proxy,frinx-frontend,inventory,krakend,unistore,uniresource,${UNICONFIG_ZONES_LIST},${NO_PROXY}
       - UNICONFIG_ZONES_LIST=${UNICONFIG_ZONES_LIST}
     volumes:
       - ${UF_CONFIG_PATH}/krakend:/etc/krakend:ro
@@ -392,6 +392,7 @@ services:
       - traefik.enable=false
     entrypoint: ["/set_env_secrets.sh", "./run.sh"]
     secrets:
+      - frinx_auth
       - frinx_uniflow
     configs:
       - source: set_env_secrets
@@ -432,7 +433,7 @@ services:
           memory: ${UR_RES_LIMIT_MEM}
 
   inventory:
-    image: frinx/frinx-inventory-server:1.2.1
+    image: frinx/frinx-inventory-server:latest
     logging: *logging_loki
     labels:
       - traefik.enable=false

composefiles/swarm-unistore.yml

@@ -28,7 +28,7 @@ x-tcp_keepalive: &tcp_keepalive
 
 services:
   unistore:
-    image: frinx/uniconfig:5.0.2
+    image: frinx/uniconfig:5.0.6
     logging: *logging_loki
     labels:
       - traefik.enable=false  

config/krakend/scripts/unistore_rbac.lua

@@ -1,4 +1,12 @@
-function user_group_auth(request, permited_groups)
+function getenv(key, fallback)
+    value = os.getenv(key)
+    if value == nil then
+        return fallback
+    end
+    return value
+end
+
+function user_group_auth(request)
 
     -- set variables from request
     local method = request:method()
@@ -9,40 +17,56 @@ function user_group_auth(request, permited_groups)
     local headers_all = headers_group .. "," .. headers_role
 
     -- Unistore RBAC settings
-    local bearer_role=os.getenv("UNISTORE_BEARER_ROLE")
-    local service_role=os.getenv("UNISTORE_SERVICE_ROLE")
-    local network_role=os.getenv("UNISTORE_NETWORK_ROLE")
-
-    local bearer_node=os.getenv("UNISTORE_BEARER_NODE")
-    local service_node=os.getenv("UNISTORE_SERVICE_NODE")
-    local network_node=os.getenv("UNISTORE_NETWORK_NODE")
-
-    -- Add role to permited_group based on node parameter
-    for word in string.gmatch(url, '([^/]+)') do
-        if string.match(word, "node=") then
-            word = string.gsub(word, "node=", "")
-            if string.match(word, bearer_node) then
-                permited_groups=permited_groups..","..bearer_role
-            elseif string.match(word, service_node) then
-                permited_groups=permited_groups..","..service_role
-            elseif string.match(word, network_node) then
-                permited_groups=permited_groups..","..network_role
+
+    local permited_groups=getenv('UNISTORE_CONTROLLER_ADMIN_GROUP')
+    local other_role=getenv("UNISTORE_OTHER_PERMITTED_ROLES",'')
+
+    local bearer_role=getenv("UNISTORE_BEARER_ROLE",'')
+    local service_role=getenv("UNISTORE_SERVICE_ROLE",'')
+    local network_role=getenv("UNISTORE_NETWORK_ROLE",'')
+
+    local bearer_node=getenv("UNISTORE_BEARER_NODE",'')
+    local service_node=getenv("UNISTORE_SERVICE_NODE",'')
+    local network_node=getenv("UNISTORE_NETWORK_NODE",'')
+
+
+    local permited_all=''
+
+    if string.match(url, "node=") then
+        -- Add role to permited_group based on node parameter
+        for word in string.gmatch(url, '([^/]+)') do
+            if string.match(word, "node=") then
+                word = string.gsub(word, "node=", "")
+                print(word)
+                if string.match(word, bearer_node) then
+                    print(bearer_role)
+                    permited_all=bearer_role..","..permited_groups 
+                elseif string.match(word, service_node) then
+                    print(service_role)
+                    permited_all=service_role..","..permited_groups 
+                elseif string.match(word, network_node) then
+                    print(network_role)
+                    permited_all=network_role..","..permited_groups
+                end
             end
         end
+    else
+        permited_all=permited_groups..","..service_role..","..network_role..","..bearer_role..","..other_role
     end
 
     -- remove white spaces and transform to lowercase
     headers_all = headers_all:gsub("%s+", "")
     headers_all = headers_all:lower()
-    permited_groups = permited_groups:gsub("%s+", "")
-    permited_groups = permited_groups:lower()
+    permited_all = permited_all:gsub("%s+", "")
+    permited_all = permited_all:lower()
 
-    print(headers_all)
     -- if request method is different from GET
     --  then check if user is in permitted groups
+
+
     if method ~= "GET" then
         for header_group in string.gmatch(headers_all, '([^,]+)') do
-            for permited_group in string.gmatch(permited_groups, '([^,]+)') do
+            for permited_group in string.gmatch(permited_all, '([^,]+)') do
                 if header_group == permited_group then
                     return
                 end
@@ -53,4 +77,3 @@ function user_group_auth(request, permited_groups)
     end
 end
 
-

config/krakend/templates/unistore.tmpl

@@ -16,7 +16,7 @@
                 "github.com/devopsfaith/krakend-lua/router": {
                     "sources": ["scripts/unistore_rbac.lua"],
                     "allow_open_libs": true,
-                    "pre": "local r = ctx.load(); user_group_auth(r, os.getenv('UNISTORE_CONTROLLER_ADMIN_GROUP'))",
+                    "pre": "local r = ctx.load(); user_group_auth(r)",
                     "live": true
                 }
             {{ else if eq $jwt_production "false" }}
@@ -60,7 +60,7 @@
                         "github.com/devopsfaith/krakend-lua/router": {
                             "sources": ["scripts/uniconfig_query_escape.lua", "scripts/unistore_rbac.lua"],
                             "allow_open_libs": true,
-                            "pre": "local r = ctx.load(); r:url(urlencode(r)); user_group_auth(r, os.getenv('UNISTORE_CONTROLLER_ADMIN_GROUP'))",
+                            "pre": "local r = ctx.load(); r:url(urlencode(r)); user_group_auth(r)",
                             "live": true
                         }
                     {{ else if eq $jwt_production "false" }}

config/prod_settings.txt

@@ -67,8 +67,8 @@ FF_ULIMIT_NOFILE_SOFT=65535
 FF_ULIMIT_NOFILE_HARD=65535
 FF_ULIMIT_NPROC_SOFT=5000
 FF_ULIMIT_NPROC_HARD=5000
-FF_RES_LIMIT_CPUS=0.25
-FF_RES_LIMIT_MEM=64M
+FF_RES_LIMIT_CPUS=1
+FF_RES_LIMIT_MEM=128M
 
 PG_ULIMIT_NOFILE_SOFT=65535
 PG_ULIMIT_NOFILE_HARD=65535
@@ -95,8 +95,8 @@ UR_ULIMIT_NOFILE_SOFT=65535
 UR_ULIMIT_NOFILE_HARD=65535
 UR_ULIMIT_NPROC_SOFT=5000
 UR_ULIMIT_NPROC_HARD=5000
-UR_RES_LIMIT_CPUS=0.25
-UR_RES_LIMIT_MEM=128M
+UR_RES_LIMIT_CPUS=4
+UR_RES_LIMIT_MEM=2048M
 
 IV_ULIMIT_NOFILE_SOFT=65535
 IV_ULIMIT_NOFILE_HARD=65535

config/secrets/frinx_rbac

@@ -6,6 +6,7 @@ UNISTORE_CONTROLLER_ADMIN_GROUP=network-admin
 UNISTORE_BEARER_ROLE=''
 UNISTORE_SERVICE_ROLE=''
 UNISTORE_NETWORK_ROLE=''
+UNISTORE_OTHER_PERMITTED_ROLES=''
 UNISTORE_BEARER_NODE=bearer
 UNISTORE_SERVICE_NODE=service
 UNISTORE_NETWORK_NODE=network

config/unistore/lighty-unistore-config.json

@@ -95,7 +95,13 @@
                 "username": "admin",
                 "password": "secret"
             }
-        }
+        },
+        // Flag that determines if uniconfig-shell provides scrolling of output
+        "enableScrolling": false,
+        // Number of history items to keep in memory
+        "historySize": 500,
+        // Number of history items to keep in the history file
+        "historyFileSize": 1000
     },
     /*
     Settings for the Device Discovery service
@@ -190,7 +196,13 @@
                     // TCP port on which target database listens to incoming connections
                     "port": 26257
                 }
-            ]
+            ],
+            /*
+            Repairs the Flyway schema history table before Flyway migration. This will perform the following actions:
+             1. Remove any failed migrations on databases.
+             2. Realign the checksums, descriptions and types of the applied migrations with available migrations.
+            */
+            "repairSchemaHistory": false
         },
         // UniConfig instance naming settings.
         "uniconfigInstance": {
@@ -224,15 +236,16 @@
     },
     // Grouped settings that are related to Uniconfig transactions.
     "transactions": {
+        "maxStoredTransactions": 100,
         /*
         Time after transaction can be closed [seconds] by transaction cleaner.
         */
-        "transactionIdleTimeOut": 1800,
+        "transactionIdleTimeOut": 3600,
         /*
         Maximum transaction age before it can be evicted from transaction registry [seconds].
         Configuring '0' disables cleaning of Uniconfig transactions.
         */
-        "maxTransactionAge": 3600,
+        "maxTransactionAge": 7200,
         /*
         Interval at which expired transactions are closed and cleaned [seconds].
         Expired transaction: transaction which age exceeds 'maxTransactionAge' setting.
@@ -273,6 +286,8 @@
             "transactionNotificationsEnabled": true,
             // Enabled collection and propagation of data-change-events into Kafka.
             "dataChangeEventsEnabled": true,
+            // Enabled collection and propagation of connection notifications into Kafka.
+            "connectionNotificationsEnabled": true,
             // Unique identifier of topic that is used for storing netconf notifications.
             "netconfNotificationsTopicName": "netconf-notifications",
             // Unique identifier of topic that is used for storing audit logs.
@@ -281,6 +296,10 @@
             "transactionsTopicName": "transactions",
             // Unique identifier of the Kafka topic used for distribution of data-change-events.
             "dataChangeEventsTopicName": "data-change-events",
+            // Unique identifier of the Kafka topic used for distribution of connection notifications.
+            "connectionNotificationsTopicName": "connection-notifications",
+            // If only connection notifications for NETCONF stream are enabled.
+            "connectionNotificationsNetconfStreamOnly": true,
             // Configuration of how long the send() method and the creation of connection for
             // reading of metadata methods will block. (in ms)
             "blockingTimeout": 60000,
@@ -392,5 +411,27 @@
         // "netconfReferenceModuleName": "system",
         // name of YANG module which contains deviations to leaves/leaf-lists that must be encrypted
         // "netconfEncryptedPathsModuleName": "encrypted-paths"
+    },
+    // settings for metrics
+    "metrics": {
+            // flag that determines if metrics will be reported or not
+            "enabled": true,
+            // reporter type (log, csv)
+            "reporter": "log",
+            // reporting rate in seconds
+            "rate": 30
+        // example csv output for one metric
+        //        t,count,mean_rate,m1_rate,m5_rate,m15_rate,rate_unit
+        //        1650557436,3,0.182204,0.507889,0.580330,0.593370,events/second
+        //        1650557466,3,0.064564,0.308050,0.525104,0.573917,events/second
+        //        1650557496,3,0.039233,0.186842,0.475134,0.555102,events/second
+        //        1650557526,3,0.028178,0.113325,0.429919,0.536904,events/second
+        //        1650557534,3,0.026281,0.104264,0.422813,0.533929,events/second
+        //
+        // example log output
+        // 18:16:20.886 INFO io.frinx.uniconfig.metrics.impl.ReporterImpl - type=GAUGE, name=io.frinx.uniconfig.manager.impl.task.TaskExecutorImpl.queue_size, value=0
+        // 18:16:20.887 INFO io.frinx.uniconfig.metrics.impl.ReporterImpl - type=METER, name=org.opendaylight.controller.uniconfig.transaction.manager.impl.UniconfigTransactionManagerImpl.transaction_invoke, count=0, m1_rate=0.0, m5_rate=0.0, m15_rate=0.0, mean_rate=0.0, rate_unit=events/second
+        // 18:16:20.887 INFO io.frinx.uniconfig.metrics.impl.ReporterImpl - type=METER, name=org.opendaylight.yangtools.yang.common.RpcResult.rpc_invoke, count=3, m1_rate=0.3080502714195554, m5_rate=0.5251039914257685, m15_rate=0.5739172434618175, mean_rate=0.06565517632771098, rate_unit=events/second
+
     }
 }

startup.sh

@@ -458,7 +458,7 @@ function setProxyEnv {
 
 
 function setManagerIpAddrEnv {
-  MANAGER_IP_ADDR=$(docker node inspect --format '{{.ManagerStatus.Addr}}' self | cut -d ' ' -f 1)
+  MANAGER_IP_ADDR=$(hostname -I | cut -d ' ' -f 1)
   export MANAGER_IP_ADDR
 }