Release 4 target date is November 30th 2020.
- Self Certified Milestones Achievement Due Date Oct 31st 2020 ( Milestone 4)
2. Maturity Review Milestone Achievement Due date Oct 31st 2020
Please add targeted and achieved R4 milestones at:
BP Incubation Stage Reporting R4 (To be updated)
Define area of focus
(to be updated)
- Virtual meeting to start to have a session to discuss all of the agenda items.
- Different patches from different blueprints need to be up-streamed.
- Need a consistent framework
- New blueprints have been committed for R4.
- Want to increase standards on Release 4.
- Validation Project test layers and test cases
- Self Certification in R4?
Release 4 Requirements
- High Level Overall Requirements
- CI, Blueprint Validation Lab Sub-Committee Requirements
- Present Pod Topology document.
- Peering w/LF Jenkins - (Note: peering is an optional requirement)
- Push logs through Nexus. (Note: This is mandatory for Incubation self-certified and Maturity)
Releases >= 1.0 (e.g. 1.xyz, 2.xyz etc) are reserved for BP that have been approved as Core by the TSC (considered ‘GA’ quality).
Releases <1.0 (e.g. 0.xyz etc) are reserved for projects that have not reached the Akraino Core level (i.e. anything that is in Incubation (‘alpha’ quality) and Mature (‘beta’ quality).
Enforcement of Static Code Analysis through SonarCloud (SaaS), WIP LF Release Engineering & Security Subcommittee. (Note: This is an optional requirement for Incubation self certified and mandatory for Maturity)
- Security Sub-Committee Requirements, please fill in Release 4 Blueprint Scanning Status. Instructions can be found at: Steps To Implement Security Scan Requirements
- Blueprint Validation Framework Feature Project Requirements See TSC meeting.
- Projects going for Maturity Review please refer to Maturity Criteria defined by Process subcommittee BP Graduation Review Processes and Criteria (Note this is not required for self certification, only required for maturity review)
- Documentation Sub-Committee Requirements
User Documents:
The following documentation with the following sections called out should be on the wiki with links to rest of the sections as applicable. We prefer that the entire doc is on the wiki but we do not require it.
Architecture - Blue print Overview and overall architecture
Release Notes – Summary and What is released
Installation Doc – Introduction and deployment architecture
Test Document – Introduction and Overall Test Architecture
Developer Documents:
We are also recommending that Blueprints include via ReadtheDocs, with each Blue Print given their own repo, but we do not require it
- API Sub-Committee Requirements (Note: See this link for requirements: Blueprint Projects R4 API Reporting Requirements)
- Community Sub-Committee Requirements (Note: no mandatory requirements for Incubation self-certified or Maturity)
- Process Sub-Committee Requirements (Note: See the Process Sub Committee page defining the TSC approved Maturity review process and requirements for those requesting inclusion in R3 at Mature level BP Graduation Review Processes and Criteria)
- Upstream Sub-Committee Requirements (Note: no mandatory requirements for Incubation self-certified or Maturity). Here is the R4 release Upstream BP review status, Release Upstream Compliance. Also please refer to the page for the R4 requirement as well.
Blue Prints Participating in Release 4
Internal Target date to meet Rel 4 Criteria is Nov 30th ( please add your target/achieved date at the BP Incubation Stage Reporting R2 (To Be Updated))
(To be updated)
| No. | Project Name | TSC Subgroup Release Status | Is this your first release | Going for Maturity Review? | CD Logs URL to be used for review (Column filled in by PTLs) | Link to executive one pager (editable doc format) (Column filled in by PTLs) | API Info Reporting Review (Column filled in by API Subcommittee) (note for PTLs – go here for steps to fill in project API info form) | BluVal Certification | Security Certification Provide link to Vuls, Lynis, and Kube-Hunter logs below. Pass/Fail Criteria: Steps To Implement Security Scan Requirements Exception requests should be filed at: https://wiki.akraino.org/display/AK/Akraino+CVE+Vulnerability+Exception+Request | Upstream Review (Column filled by Upstream Subcommittee and PTLs) (note PTL can go to Release Upstream Compliance to find details) | Date ready for TSC review (Column filled in by PTLs) | TSC Review Date (Column filled in by TSC) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | scheduled at | N | Y | https://nexus.akraino.org/content/sites/logs/parserlabs/r4/jobs/cvb/ | Form uploaded Scheduled for API subcommittee review Waiting for re-uploaded API info form with PaaS API info Reviewed by API subcommittee, PaaS APIs are subset of TARS APIs Accepted | https://nexus.akraino.org/content/sites/logs/parserlabs/r4/jobs/cvb/
Vuls: Accepted with exceptions shown at: Release 4 Vuls Exception Request
Lynis:
You are using SHA512 hashing which is good, however, it appears the number of rounds for password hashing is still set to default at 5000. This value must be set higher, 65536. Below is additional information on this topic: The rounds=N option helps to improve key strengthening. The number of rounds has a larger impact on security than the selection of a hash function. For example, rounds=65536 means that an attacker has to compute 65536 hashes for each password he tests against the hash in your /etc/shadow. Therefore the attacker will be delayed by a factor of 65536. This also means that your computer must compute 65536 hashes every time you log in, but even on slow computers that takes less than 1 second. If you do not use the rounds option, then glibc will default to 5000 rounds for SHA-512. Additionally, the default value for the rounds option can be found in sha512-crypt.c. Open /etc/pam.d/passwd with a text editor and add the rounds option at the end of of the uncommented line. After applying this change the line should look like this: password required pam_unix.so sha512 shadow nullok rounds=65536 After you change the number of rounds you will need to expire the existing passwords to encrypt using the new values. 2. Test: Check if one or more compilers can be found on the system Reason: Our core components of BP are needing more than one compiler and fixing them can break our dependencies. Since this BP is requesting a maturity review all compilers must be removed prior to using the system in production. Are there components that require compilers in the completed production release code? Exceptions approved shown at: Kube-Hunter: Exception granted: K8s not used by this BP. | Yes | 12/01 | ||||
| 2 | scheduled at | N | Y | https://nexus.akraino.org/content/sites/logs/parserlabs/r4/jobs/iec-type4/ | Form uploaded Scheduled for API subcommittee review Waiting for re-uploaded API info form with PaaS API info Reviewed by API subcommittee, PaaS APIs are subset of TARS APIs Accepted | https://nexus.akraino.org/content/sites/logs/parserlabs/r4/jobs/iec-type4/
Vuls: Accepted with exceptions shown at: Release 4 Vuls Exception Request
Lynis:
You are using SHA512 hashing which is good, however, it appears the number of rounds for password hashing is still set to default at 5000. This value must be set higher, 65536. Below is additional information on this topic: The rounds=N option helps to improve key strengthening. The number of rounds has a larger impact on security than the selection of a hash function. For example, rounds=65536 means that an attacker has to compute 65536 hashes for each password he tests against the hash in your /etc/shadow. Therefore the attacker will be delayed by a factor of 65536. This also means that your computer must compute 65536 hashes every time you log in, but even on slow computers that takes less than 1 second. If you do not use the rounds option, then glibc will default to 5000 rounds for SHA-512. Additionally, the default value for the rounds option can be found in sha512-crypt.c. Open /etc/pam.d/passwd with a text editor and add the rounds option at the end of of the uncommented line. After applying this change the line should look like this: password required pam_unix.so sha512 shadow nullok rounds=65536 After you change the number of rounds you will need to expire the existing passwords to encrypt using the new values. 2. Test: Check if one or more compilers can be found on the system Reason: Our core components of BP are needing more than one compiler and fixing them can break our dependencies. Since this BP is requesting a maturity review all compilers must be removed prior to using the system in production. Are there components that require compilers in the completed production release code? Exceptions approved shown at: Kube-Hunter: Exception granted: K8s not used by this BP. | Yes | 12/01 | ||||
| 3 | Scheduled at Release 4 Review 2020-12-01 (Tues) 7 am Pacific | N | Mature | https://nexus.akraino.org/content/sites/logs/att/job/Install_REC_on_OpenEdge1/ | Form uploaded Reviewed by API subcommittee Accepted | https://nexus.akraino.org/content/sites/logs/att/job/Bluval_Logs/results-11-27-2020.tar | https://nexus.akraino.org/content/sites/logs/att/job/Bluval_Logs/results-11-27-2020.tar
Vuls: Accepted with exceptions shown at: Release 4 Vuls Exception Request
Lynis: -ISSUES that MUST be fixed for Maturity or a more specific exception reason needs to be provided:
Kube-Hunter: Does not appear to have run correctly - question sent to BP owner | Yes | 12/01 | |||
| 4 | Scheduled at | N | N | ICN Master Baremetal Deployment Verifier | Form uploaded Reviewed by API subcommittee Accepted | https://nexus.akraino.org/content/sites/logs/intel/bluval_results/icn/master/20201210-010310/. | https://nexus.akraino.org/content/sites/logs/intel/bluval_results/icn/master/20201210-010310/ ICN R4 Test Document#BluValTesting Vuls: Accepted with exceptions shown at: Lynis: Accepted with exceptions shown at: k8s/conformance:
Kube-Hunter: Accepted
| Yes | 12/10 | 12/16 | ||
| 5 | scheduled at | N | N | ELIOT R4 IOT-Gateway Datasheet | Form uploaded Reviewed by API subcommittee Accepted | vuls exceptions Akraino CVE Vulnerability Exception Request |
Vuls: Accepted with exceptions shown at: Lynis: Accepted with exceptions shown at: Kube-Hunter: Accepted with exceptions shown at: | Yes | 12/08 | |||
| 6 | scheduled at | N | N | https://nexus.akraino.org/content/sites/logs/huawei/blueprints/uCPE/job/eliot-uCPE-deploy-k8s-centos-virtual-daily-master/545/ | ELIOT R4 - SD-WAN / WAN Edge / uCPE Data Sheet | Form uploaded Reviewed by API subcommittee Accepted | vuls exceptions Akraino CVE Vulnerability Exception Request |
Vuls: Accepted with exceptions shown at: Lynis: Accepted with exceptions shown at: Kube-Hunter: Accepted with exceptions shown at: | Yes | 12/08 | ||
| 7 | Scheduled at Release 4 Review 2020-12-09 (Wed) 7:30am | N | Not Applicable | https://nexus.akraino.org/content/sites/logs/juniper/job/NC-Tungsten_Fabric/40/ https://nexus.akraino.org/content/sites/logs/juniper/validation-results/ | Form uploaded Scheduled for API subcommittee review Accepted | Y |
Vuls: Accepted with exceptions shown at:
Lynis: ISSUES that MUST be fixed or a more specific exception reason needs to be provided:
Following compilers found:
Kube-Hunter: In review Sukhdev Kapur has requested that the Release 3 exceptions be provided for Release 4 | Yes | 12/09 | 12/09 | ||
| 8 | Scheduled at | N | N | AWS footprint: GCP footprint: | Form uploaded Reviewed by API subcommittee Accepted | https://nexus.akraino.org/content/sites/logs/redhat-kni/bluval_results_pae/ |
Vuls: Accepted with exception. The KNI Provider Access Edge blueprint uses OpenShift as its k8s distribution, which is deployed on Red Hat CoreOS, an immutable OS that is not supported by Vuls. https://nexus.akraino.org/content/sites/logs/redhat-kni/bluval_results_pae/os/vuls/log.html.gz Lynis:
https://nexus.akraino.org/content/sites/logs/redhat-kni/bluval_results_pae/os/lynis/ Accepted with exceptions shown at: Accepted with exceptions shown at: | Yes | 12/09 | 12/09 | ||
| 9 | Slides for KNI blueprints review: | Scheduled at | Y | N | Mgmt Hub logs: IE logs: | Form uploaded Reviewed by API subcommittee Accepted | https://nexus.akraino.org/content/sites/logs/redhat-kni/bluval_results_ie/ |
Vuls: Accepted with exception. The KNI Industrial Edge blueprint uses OpenShift as its k8s distribution, which is deployed on Red Hat CoreOS, an immutable OS that is not supported by Vuls. https://nexus.akraino.org/content/sites/logs/redhat-kni/bluval_results_ie/os/vuls/log.html.gz Lynis: https://nexus.akraino.org/content/sites/logs/redhat-kni/bluval_results_ie/os/lynis/ Accepted with exceptions shown at: Kube-Hunter: Accepted with exceptions shown at: | Yes | |||
| 10 | Y | N | https://nexus.akraino.org/content/sites/logs/micromec | Akraino R3 MicroMEC blueprint datasheet.docx | Form uploaded API committee review scheduled for | N/A | ||||||
| 11 | N | Y | https://nexus.akraino.org/content/sites/logs/baidu/job/aiedge-otestack-master-deploy/ https://nexus.akraino.org/content/sites/logs/baidu/job/aiedge-otestack-master-validation/ | Hechun replied by e-mail 12Jan, API info form is in progress API committee review tentatively scheduled for | N/A | Yes (Please also update the upstream version besides the repo name) | 06/02 | |||||
| 12 | Y | N | Yes (Please update the upstream versions besides the repo name) | |||||||||
| 13 | Y | N | https://nexus.akraino.org/content/sites/logs/tencent/job/5g-mec-cloud-gaming-CD/15/ | 5G MEC Rel 3 Datasheet | Form uploaded Accepted | N/A | https://nexus.akraino.org/content/sites/logs/tencent/bluval/results_upload
Vuls: Accepted with exceptions shown at: Release 4 Vuls Exception Request Lynis: Accepted with exceptions shown at: Kube-Hunter: Accepted with exceptions shown at: | Please update the release note with upstream information (R4 - Release Notes) | 06/03 | |||
| 14 | N | N | https://nexus.akraino.org/content/sites/logs/ampere/job/akraino_arm_anbox_test/6/ | PTL replied by e-mail that they have no APIs offered or consumed. API subcommittee replied they still need to fill out the API info reporting form with BP name and Comments field explaining current and future API status, and upload the form | Yes | 01/28 | ||||||
| 15 | Scheduled at | N | N | https://nexus.akraino.org/content/sites/logs/bytedance/job/run-install-bluefield-fs/ https://nexus.akraino.org/content/sites/logs/bytedance/job/run-install-ovs-dpdk/ | Form uploaded Scheduled for API subcommittee review Accepted | Yes | 06/04 | |||||
| 16 | scheduled at | N | N | Form uploaded Reviewed by API subcommittee Accepted | Vuls Exception Akraino CVE Vulnerability Exception Request | Akraino CVE Vulnerability Exception Request
Vuls: Accepted with exceptions shown at: Release 4 Vuls Exception Request Lynis: Accepted with exceptions shown at: Kube-Hunter: Accepted with exceptions shown at: updated results link - 09-dec | Yes | 12/10 | ||||
| 17 | Scheduled at TSC 2021-1-14 (Thurs) 7 am Pacific PCEI Time Slot 7:30-8:00 am Pacific | Y | https://nexus.akraino.org/content/sites/logs/cmti/job/pcei-daily/ | PCEI R4 Datasheet | Form uploaded 4Jan Scheduled for API subcommittee review For R4, third-party location API provided as an example in PCEI architecture diagrams. For R5 they expect PCEI APIs to be exported Accepted | https://nexus.akraino.org/content/sites/logs/pcei/job/v1/ New BluVal logs 2021-01-08: https://nexus.akraino.org/content/sites/logs/pcei/job/v2/results/
Updated BluVal logs with fixed sysctl key net.ipv4.conf.default.accept_source_route https://nexus.akraino.org/content/sites/logs/pcei/job/v3/
Updated BluVal logs with fixed Kube-Hunter Vulnerability KHV050, KHV002, KHV005 https://nexus.akraino.org/content/sites/logs/pcei/job/v4/ |
Vuls: Vuls: Accepted with exceptions shown at: Release 4 Vuls Exception Request vuls.log included in the new logs (V2) Lynis: Accepted with exceptions shown at: Kube-Hunter: Accepted with exceptions shown at: Release 4 Kube-Hunter Exceptions | Yes | 01/14/21 | |||
| 18 | Scheduled at | Y | N | https://nexus.akraino.org/content/sites/logs/webank/job/ | Federated ML application at edge R4 Datasheet | Form uploaded Reviewed by API subcommittee Accepted | N/A | https://nexus.akraino.org/content/sites/logs/webank/job/FL_SCAN/results/ https://nexus.akraino.org/content/sites/logs/webank/job/FL_SCAN/lynis_fixed/
Vuls: Accepted with exceptions shown at: Release 4 Vuls Exception Request
Lynis: Accepted with exceptions shown at: https://nexus.akraino.org/content/sites/logs/webank/job/FL_SCAN/lynis_fixed2/ Kube-Hunter: Exception granted: K8s not used by this BP. | Yes | 12/08 | ||
| 19 | Scheduled at Release 4 Review 2020-11-17 (Tue) 7 am Pacific | Y | N | https://nexus.akraino.org/content/sites/logs/futurewei/kubeedgees/ | Form uploaded Reviewed by API subcommittee Accepted | Yes https://nexus.akraino.org/content/sites/logs/futurewei/kubeedgees/58/results/ |
Vuls: Accepted with exceptions shown at: Release 4 Vuls Exception Request
Lynis: Accepted Kube-Hunter: Exception granted: KubeEdge node is not on same subnet as the cloud node. Communication occurs through the websocket endpoint, so kube-hunter can't be used. | Yes | 11/17 | |||
| 20 | Y | Prem replied by e-mail 17Jan, API info form is in progress API committee review tentatively scheduled for | ||||||||||
| 21 | Scheduled at Release 4 Review 2020-12-09 | Y | N | https://nexus.akraino.org/content/sites/logs/ai_solutions/job/Eden-flir/ | Form uploaded Reviewed by API subcommittee , waiting for revised API info form to be uploaded 2nd revision of form uploaded by V S Final review by API subcommittee set for Accepted | Yes | 12/09 |