# Seamless Experimentation Across FABRIC and Nautilus

## Mohammad Firas Sada - UCSD

This tutorial demonstrates how to establish a connection between a FABRIC slice and a Kubernetes pod on Nautilus (the National Reseach Platform's cluster), enabling cross-testbed experimentation.

## 1. Prerequisites
- FABRIC account with project access
- Nautilus cluster access through a namespace (more details below)
- Basic understanding of Jupyter notebooks and FABRIC

### Accessing the National Research Platform:

The National Research Platform provides access to users through the Nautilus cluster, which uses federated identity through CILogon to authenticate. Users need to be part of a namespace to provision resources and services on Nautilus. Namespace admins can create and manage namespaces.

#### Cluster Access for Demo:

<span style="color:red; font-weight:bold;">For the demo presented below, your access to the cluster will be through the <span style="color:red; font-weight:bold;">`nrp-fabric-integration`</span> namespace, which is specifically used for demonstrations. We have provided you with a <span style="color:red; font-weight:bold;">token</span> that grants the necessary permissions to start pods and reproduce the tutorial.</span>

<span style="color:red;">Please follow the instructions provided below to formally use the cluster and start the demo. More detailed guidance can also be found in the <a href="https://docs.nrp.ai/" style="color:blue;">Nautilus Documentation</a>.</span>



#### To join Nautilus:


1. Point your browser to the [PRP Nautilus portal](https://portal.nrp-nautilus.io).

2. On the portal page click on **`Login`** button at the top right corner.

3. You will be redirected to the **`CILogon`** page where you have to **Select an Identity Provider**.

4. Select your institution (example: University Name) from the menu and click the **`Log On`** button.

    - If your institution is using **`CILogon`** as a federated certification authority, it will be in the menu. Select the name of your institution and use either a personal account or an institutional G-suite account. This is usually your institutional account name (email) and a password associated with it.
    - If your institution is not using **`CILogon`**, you can select **`Google`**.

5. After a successful authentication, you will log on to the portal with a **`guest`** status.


6. If you are a **student**, please contact your research supervisor and ask them to add you to their namespace. Once you are added to a namespace, your status will change to a cluster **`user`** and 
you will get access to all namespace resources.

7. If you are a **faculty member, researcher, or postdoc** starting a new project and need your own namespace—either for yourself or your research group—you 
can request to be promoted to a namespace **`admin`** in [Matrix](nrp.ai/contact).
As an **`admin`**, you will have the ability to: 
    - Create multiple namespaces.
    - Invite other users to your namespace(s).

8. Once you are made either a **`user`** or **`admin`** of a namespace, you will need to accept the Acceptable Use Policy (AUP) on the portal page in order to get access to the cluster.
9. **Make sure you read the cluster policy before starting to use it.**
    - Read the [Policies](https://nrp.ai/documentation/userdocs/start/policies) page.
    - Read the [NRP Acceptable Use Policy (AUP).](https://nrp.ai/NRP-AUP.pdf)


If you run into any issues, please refer to the official [NRP Documentation](https://docs.nrp.ai), or reach out to us via [Matrix](https://element.nrp-nautilus.io) or [email](mailto:support@nationalresearchplatform.org).

## 2. FABRIC Setup
### 2.1 Install Dependencies

In [None]:
!pip install kubernetes

In [None]:
from kubernetes import client, config
from kubernetes.client.rest import ApiException
from kubernetes.stream import stream
import os
import time
import random
import string

### 2.2 Configure FABRIC Environment

In [None]:
from fabrictestbed_extensions.fablib.fablib import FablibManager as fablib_manager

fablib = fablib_manager()
                     
fablib.show_config();

In [None]:
# manually select a site
site = 'UCSD'

In [None]:
# generate a name for the slice
slice_name = "my-slice-" + ''.join(random.choices(string.ascii_lowercase + string.digits, k=6))
print(f"slice_name= {slice_name}")

<span style="color:#D32F2F; font-weight:bold;">
To connect from FABRIC to Nautilus, we utilize Facility Ports, which allow us to establish a connection from the FABRIC dataplane through the UCSD site to Nautilus, specifically to the Nautilus nodes at UCSD.
</span>

<ul>
  <li>For more information on Facility Ports, visit: <a href="https://learn.fabric-testbed.net/knowledge-base/fabric-facility-ports/" style="color:#1976D2;">FABRIC Facility Ports</a></li>
  <li>For more details about the Nautilus nodes, check: <a href="https://portal.nrp-nautilus.io/resources" style="color:#1976D2;">Nautilus Resources</a></li>
</ul>

<span style="color:#388E3C;">
In this setup, we will be using the FABRIC facility ports <strong>NRP-UCSD</strong> and <strong>FP1-UCSD</strong>.
</span>

<p>
Additionally, we have employed the <span style="color:#0288D1; font-weight:bold;">ESnet SENSE Orchestrator</span> to establish a 1Gbps L2 path between the FABRIC UCSD site and the Nautilus node (<strong>node-2-7.sdsc.optiputer.net</strong>) through a map of VLAN tags listed below.
</p>

<ul>
  <li>For more about SENSE, visit: <a href="https://sense.es.net/" style="color:#1976D2;">SENSE Orchestrator</a></li>
</ul>

In [None]:
vlan_map = {
    "3110": (3110, "FP1-UCSD"),
    "3111": (3607, "FP1-UCSD"),
    "3113": (3113, "FP1-UCSD"),
    "3114": (3114, "FP1-UCSD"),
    "3116": (3116, "FP1-UCSD"),
    "3118": (3119, "FP1-UCSD"),
    "3119": (3135, "FP1-UCSD"),
    "3123": (3123, "NRP-UCSD"),
    "3124": (3124, "NRP-UCSD"),
    "3125": (3125, "NRP-UCSD"),
    "3126": (3126, "NRP-UCSD"),
    "3127": (3127, "NRP-UCSD"),
    "3128": (3118, "NRP-UCSD"),
    "3129": (3129, "NRP-UCSD")
}


<span style="color:#F57C00; font-weight:bold;">
  <p><strong>Please pick a VLAN tag from the above dictionary for your UCSD slice.</strong></p>
  <p>If the selected VLAN tag is already in use, you will need to choose a different one.</p>
</span>


In [None]:
vlan_choice = "3114"

### 2.3 Create the FABRIC UCSD Slice

In [None]:
slice = fablib.new_slice(name=slice_name)
image = 'docker_ubuntu_20'

facility_port=vlan_map[vlan_choice][1]
facility_port_site='UCSD'
facility_port_vlan=vlan_choice


node = slice.add_node(name=f"Node1", site='UCSD',cores=1, ram=8, disk=100, image=image)
node_iface = node.add_component(model='NIC_Basic', name="nic1").get_interfaces()[0]

facility_port = slice.add_facility_port(name=facility_port, site=facility_port_site, vlan=facility_port_vlan)
facility_port_interface =facility_port.get_interfaces()[0]

print(f"facility_port.get_site(): {facility_port.get_site()}")

facility_port.get_name()

net = slice.add_l2network(name=f'net_facility_port', interfaces=[])
net.add_interface(node_iface)
net.add_interface(facility_port_interface)


slice.submit()

In [None]:
slice = fablib.get_slice(name=slice_name)
node1 = slice.get_node(name="Node1")

### 2.4 Configure the Interface

In [None]:
command = "sudo ip addr add 192.168.1.1/24 dev enp7s0 && sudo ip link set enp7s0 up && ip addr show enp7s0"

stdout, stderr = node1.execute(command)

In [None]:
command = "sudo apt-get update && sudo apt-get install iputils-ping -y"

stdout, stderr = node1.execute(command)

## 3. Kubernetes Setup

### 3.1 Configure Kubernetes Client

In [None]:
namespace = 'nrp-fabric-integration'

In [None]:
pod_name = "my-pod-" + ''.join(random.choices(string.ascii_lowercase + string.digits, k=6))
print(f"pod_name= {pod_name}")

In [None]:
# Path to your Kubernetes config file (optional)
#kube_config_path = '/path/to/your/kubeconfig'  # Adjust this to your config file path, or set to None

In [None]:
# Define the token (used if no config file is provided)
token = 'eyJhbGciOiJSUzI1NiIsImtpZCI6Illyc2M5bTg5czdZQlJYTFZjVTNNME5MRVBENEVFbWw2VHhoRXZZLWhkR3cifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzQ5ODc3ODY3LCJpYXQiOjE3NDEyMzc4NjcsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJucnAtZmFicmljLWludGVncmF0aW9uIiwic2VydmljZWFjY291bnQiOnsibmFtZSI6ImRlZmF1bHQiLCJ1aWQiOiJhZmZjYjEzMy03ZWJiLTRiZDUtOGRmYy0wYmQ0MzYwMDg5ZGYifX0sIm5iZiI6MTc0MTIzNzg2Nywic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Om5ycC1mYWJyaWMtaW50ZWdyYXRpb246ZGVmYXVsdCJ9.N_xlop4B5K-XSO-DTYw0esd2Jc9DL95ZP8XmMhnLnFGtUYubbBNtOXoHBLQJ55hW0_6erTzz_Dq1FGHlDMa77Px3dK_xX_q-ghhyHEENWsxK0Tv_PoyEBw13DG1E4BJ-ClFPpc7O0WcQHlwd-XLLxVMaiFZwh5IFyqYg3CR5QS3r37m7y4KMTZNhJmNQ1NbY8ia0P7FNLU5EuK-ut_Fv-BcFPGQnNAm0LKDa_XzJqfQbe41f0H7MLbwi8N58eMjEpt3eyvSt5B4v_b6M9rCeyBfF0yMnHWx5UU2Mi_xDuMdRxf9mOeHInjVVsk4Iao5hCbSOAHMuoBoxGx3k_OWbRg'

In the event that the token doesn't work, please contact the NRP admins via Matrix (linked in the beginning).

In [None]:
# Ensure kube_config_path is defined before checking
kube_config_path = kube_config_path if 'kube_config_path' in locals() else None

# Check if kube_config_path exists and load configuration
if kube_config_path and os.path.exists(kube_config_path):
    config.load_kube_config(config_file=kube_config_path)
    print("Kubeconfig loaded successfully.")
else:
    # Fallback to token if no config file is found
    print("No kubeconfig found. Using token for authentication.")
    configuration = client.Configuration()
    configuration.host = 'https://67.58.53.147:443'  # Your server URL
    configuration.api_key = {'authorization': f'Bearer {token}'}  # Use the token for authorization
    configuration.verify_ssl = False
    api_client = client.ApiClient(configuration)


### 3.2 Create Pod with VLAN Attachment

In [None]:
# Define the node you want the pod to land on
node = 'node-2-7.sdsc.optiputer.net'  # The node you want the pod to land on


In [None]:
# Define Node Affinity
node_affinity = client.V1NodeAffinity(
    required_during_scheduling_ignored_during_execution=client.V1NodeSelector(
        node_selector_terms=[
            client.V1NodeSelectorTerm(
                match_expressions=[
                    client.V1NodeSelectorRequirement(
                        key='kubernetes.io/hostname',  # Standard node name label
                        operator='In',
                        values=[node]  # The node you want the pod to land on
                    )
                ]
            )
        ]
    )
)

# Define the affinity
affinity = client.V1Affinity(
    node_affinity=node_affinity
)


In [None]:
# Define the security context with network capabilities
security_context = client.V1SecurityContext(
    capabilities=client.V1Capabilities(
        add=["NET_RAW", "NET_ADMIN"]
    )
)

In [None]:
# Define pod spec
pod_spec = client.V1PodSpec(
    affinity=affinity,
    containers=[
        client.V1Container(
            name='my-container',
            image='alpine:latest',  # Specify the container image you want
            command=["sleep", "3600"],# Just keeps the pod running for an hour
            security_context=security_context
        )
    ]
)


In [None]:
# Define the pod
pod = client.V1Pod(
    metadata=client.V1ObjectMeta(
        name=pod_name,
        annotations={
            "k8s.v1.cni.cncf.io/networks": f"ens-{vlan_map[vlan_choice][0]}"
        }
    ),
    spec=pod_spec
)


In [None]:
# Create the pod in the specified namespace
try:
    if kube_config_path and os.path.exists(kube_config_path):
        api_instance = client.CoreV1Api()
    else:
        api_instance = client.CoreV1Api(api_client)
    
    api_response = api_instance.create_namespaced_pod(namespace=namespace, body=pod)
    print(f"Pod created. Name: {api_response.metadata.name}")
except ApiException as e:
    print(f"Exception when creating pod: {e}")


In [None]:
pod = api_instance.read_namespaced_pod(name=pod_name, namespace=namespace)

In [None]:
time.sleep(20)
command = ["/bin/sh", "-c", "ip addr show net1"]

# Execute the command in the pod
resp = stream(api_instance.connect_get_namespaced_pod_exec,
              pod_name, namespace,
              command=command,
              stderr=True, stdin=False, stdout=True, tty=False)

print(resp)

## 4. Connectivity Test

### 4.1 Configure IP Address on Pod

In [None]:
command = [
    "/bin/sh", "-c",
    "ip addr flush dev net1 && ip addr add 192.168.1.2/24 dev net1 && ip addr show net1"
]

# Execute the command in the pod
resp = stream(api_instance.connect_get_namespaced_pod_exec,
              pod_name, namespace,
              command=command,
              stderr=True, stdin=False, stdout=True, tty=False)

print(resp)


### 4.2 Test from Nautilus to FABRIC

In [None]:
command = [
    "/bin/sh", "-c",
    "ping -I net1 -c 4 192.168.1.1"
]

# Execute the command in the pod
resp = stream(api_instance.connect_get_namespaced_pod_exec,
              pod_name, namespace,
              command=command,
              stderr=True, stdin=False, stdout=True, tty=False)

print(resp)


### 4.3 Test from FABRIC to Nautilus

In [None]:
command = "ping -I enp7s0 -c 4 192.168.1.2"

stdout, stderr = node1.execute(command)

## 5. Interactive Access

### 5.1 SSH into FABRIC Node

In [None]:
slice.get_nodes()[0].get_ssh_command()

### 5.2 Kubectl access to the Nautilus Pod

In [None]:
# Generate kubectl exec command with token authentication
server_url= 'https://67.58.53.147:443'
print("\nTo access the pod, run:")
print(f"""
kubectl exec -it {pod_name} -n {namespace} \\
    --token={token} \\
    --server={server_url} \\
    --insecure-skip-tls-verify=true \\
    -- /bin/sh
""")

## 6. Cleanup

In [None]:
# To delete the slice
slice = fablib.get_slice(name=slice_name)
slice.delete()

The pod has `sleep 3600`, which means it will automatically delete within an hour from starting.

---

This is the end of the tutorial. If you run into any issues, please refer to the official [NRP Documentation](https://docs.nrp.ai), or reach out to us via [Matrix](https://element.nrp-nautilus.io) or [email](mailto:support@nationalresearchplatform.org).

---