-
Notifications
You must be signed in to change notification settings - Fork 17
FSM SSM Development
This page captures all relevant information about the development of the FSM/SSM required for the industrial pilot. It in particular focuses on use case 2: "Putting NS2 in isolation when an intrusion is detected" which boils down to reconfiguring the MDC to point to another instance (the assumed quarantine instance) of NS1.
To realise this, we need to develop 1-2 reconfiguration FSM(s) and/or SSM(s). Their design and implementation will be documented below.
Responsible: Manuel (UPB)
("user" here means: We as project members or even the SP itself which want to use this stuff for the review demo. The role is not further broken down into developers, shop managers or similar. It doesn't matter.)
-
[US1] Deployment of FSM/SSM as part of NS2 instance: The FSM/SSM that controls the reconfiguration of the MDC will be part of the same service (NS2). As a user I want to add this FSM/SSM to the service package and get it deployed along with NS2.
-
[US2] Manually trigger reconfiguration: As a user, I want to manually trigger the reconfiguration action of a running NS2 instance. I want to do this through an API (e.g. a single, super-simple REST call). If we have this API we can let the factory management portal (FMP) trigger it when the user presses the "quarantine" button.
-
[US3] Policy-triggered reconfiguration based on alarm of IDS: As the SONATA-SP, I want to trigger the reconfiguration action if a specific policy in the policy manager is triggered. This policy is triggered when it receives the "intrusion" alarm from the IDS system over the monitoring system of the SONATA-SP, i.e., a metric like
intrusion_detectedjumps from0to1. -
[US4] Reconfigure the MDC CNF: If US2 or US3 is performed, I as the FSM/SSM want to reconfigure the MDC VNF to let it point to another (predefined and already running) NS1 instance, i.e., another MQTT broker. To this end, the MDC is restarted with a changed ENV variable pointing to the new broker.
- Reachability ofSSM from outside? The external running FMP needs to reach out to theSSM to trigger the reconfiguration when a user presses the "quarantine" button. BUT: SSM are not reachable from the outside. So we need to use some kind of command-and-control-server we run outside the platform next to the FMP which is called by the FMP and triggers the FSM. A gRPC streaming solution seems to be a nice design as shown below.
This small auxiliary component intents to solve the problem that FSMs are not reachable from the outside making it hard to trigger manual reconfigurations, e.g., from the FMP. The idea is to run this small component next to the FMP. The FMP could access it using a REST API provided by the SDMP-CC. The FSM in turn connects to the SMP-CCS and opens a gRPC server stream connection. Using the the SMP-CCS can trigger actions in the FSM whenever it wants, still the FSM needs not to be reachable from outside. The only assumption here is that the FSM can reach the SMP-CCS, which can easily be realised, e.g., by hosting the SMP-CCS in the public Internet.
Code location: tools/smp-ccs README and documentation: here
The SMP-CC is deployed at UPB's premises and reachable from the Internet:
- Host: fgcn-tango-smp-ctrl.cs.upb.de
- gRPC: 9012/TCP
- REST: 80/TCP
curl -X GET fgcn-tango-smp-ctrl.cs.upb.de/api/v1/ssmstatus
Planned design:
{private} {public}
+------------+ +-----------------+
| | | SMP-CC |
| FMP |-----REST------->|(e.g. in Docker) |
| | | |
+------------+ +-----------------+
^ |
| (2) gRPC srv.
| stream
(1) gRPC |
req. |
| |
+ - - - - - - -|- - - - + - - - - - - - +
| v
| +-----------------+ |
| +---------------+-+
| +-+ +---------------+-+ |
+-+ SSM |
| +-----------------+ |
| |
SONATA-NFV MANO
+ - - - - - - - - - - - - - - - - - - - +
{private}
The development takes mainly place in branch feature-31 of Manuel's fork of the industry pilot wiki.
Code locations:
See the README files in the ssms/ folder and the tools/smpcc folder to get instructions for local testing.
Those are the initial notes made during testing:
- Environment 1: http://pre-int-sp-ath.5gtango.eu
- Environment 2: http://int-sp-ath.5gtango.eu
- Environment 3: http://sta-sp-ave-2.5gtango.eu
- SP dashboard: https://pre-int-sp-ath.5gtango.eu/
- Logs: http://logs.sonata-nfv.eu
- Search platform:
source:pre-int-sp-ath - Search FSM container:
source:pre-int-sp-ath && container_name:sonfsm*
- Search platform:
# set target platform
export SP_PATH=http://pre-int-sp-ath.5gtango.eu
# package
cd sdk-projects
./pack.sh
# on-board (attention check that correct files are used)
tng-cli package -u eu.5gtango.tng-smpilot-ns1-k8s.0.8.tgo
tng-cli package -u eu.5gtango.tng-smp-ns2-k8s-mdc-eids.0.8.tgo
tng-cli package -l
# instantiate (with parameters for NS2)
tng-cli service -n test1-sm-ns1 -i <ns1_service_uuid_from_portal>
tng-cli service -n test1-sm-ns2 --params_file inst_params_ns2.yml -i <ns2_service_uuid_from_portal>Helpful query patterns:
source:pre-int-sp-ath
source:pre-int-sp-ath && ssm
source:pre-int-sp-ath && container_name:tng-ssm-industry-pilot-ns2cd87b665-2aef-4dce-be2b-80b08f643bc0
The SMP-CC server provides a REST API to check the registration status of the SSMs:
# get status of all registered SSMs
curl -X GET fgcn-tango-smp-ctrl.cs.upb.de/api/v1/ssmstatus
# response:
{} # = no SSM registered
# response:
{
"ecab541d-89de-42a5-b880-46e9ed47a9fd": {
"uuid": "ecab541d-89de-42a5-b880-46e9ed47a9fd",
"name": "eu.5gtango.test-nsid1v.0.1",
"status": "running",
"time_created": 1574171248,
"time_updated": 1574171248,
"changed": false,
"quarantaine": false
}
}# set the quarantaine state:
curl -X PUT fgcn-tango-smp-ctrl.cs.upb.de/api/v1/ssmstatus -d uuid=<put_the_service_instance_uuid_here> -d quarantaine=1